March 30, 2015

Assertiveness is a valuable quality for the C-Level and cyber crooks alike

Jose Barajas

Beware, spear-phishing is striking again - Websense Security Labs has become aware of recent spear-phishing attempts utilizing what appear to be forwarded legitimate email messages and a typo-squatted domain. If these targeted attempts are successful, then the combination of a trusting nature, orthographic chicanery, and the lack of internal verifications can result in a huge financial loss to a business.

Swift and Sophisticated

According to the evidence reviewed by Websense Security Labs, the malicious actor registered a typo-squatted domain name with a single character difference (a repeated character) from the target domain. Registration of the fraudulent domain occurred on the same day as the attack. 

Shortly after registration, email communication emanated from an address that mimicked that of a company executive, excluding the domain. The email requested a wire transfer and referenced a previous conversation between employees. It also included details of the destination account in a PDF attachment. Language within the email was vague but commanding, appropriate to the industry, and most importantly it demonstrated familiarity. 

As with any good sting, the tricksters had done their research. The onset of the attack appears to have begun with an email crafted to look like a legitimate forwarded message. In the subsequent fraudulent communiques, names and email addresses of key players were used to help assert legitimacy. 

Hiding in Plain Sight

It's important to note that this attack was neither a case of spoofing nor of a forged domain in the display headers. All email communication about this transfer of funds – not an insignificant amount – occurred via an email address utilizing the newly-registered hostname. The fraudsters merely relied on the similarities of the domains – and knowledge of key players within the company – to try to achieve their objective.  

Similar techniques have been used in the past, such as those that targeted the trading firm Scoular in 2014. The FBI is still attempting to recover the $17 million lost in that case, which also involved legitimate employee names with fake email aliases.

Another common phishing technique encountered by Websense involved forged From addresses in the display headers rather than typo-squatting, and a reply-to address that was not on the corporate domain. In most other ways, these attempts were similar, involving vaguely-worded requests to confirm transaction details. While fraudsters did their homework enough to know exactly who the execs on mahogany row were, and the appropriate support staff that might process such a request on their behalf, they tried to rely primarily on the fact that no one would double-check the reply-to address if the From address appeared legitimate.

Spear-Phishing from a Position of Power

Aside from the fact that the emails in this and other spear-phishing attacks emanated from a domain nearly identical to the target domain, relied on a reply-to address going unexamined, or used known names and email addresses to gain confidence, the agents of this fraud relied on several other key factors for their success: namely, power structure and the lack of protocol. 

Put simply, the perpetrators were trying to count on obeisance and obedience: when the CEO or CFO tells you to do something, you do it. The phishers also relied on brevity to convey urgency and mask identity (unfamiliar syntax can raise red flags). They also requested several updates to further underscore the importance of speed. In this instance, phishers were trying to play on the similarity of domains, but they also preyed on the eagerness of most employees to please. 

In some cases, it may not be the absence of protocol as much as the willingness to sidestep established procedure when receiving a request from a high-level executive. This was the case in the Scoular incident, where skirting SEC regulations was cited as a reason for communicating only via email. 


“Trust, but verify,” is wisdom famously imparted by Ronald Reagan. In a case such as this, we can see that lack of verification, especially in matters regarding financial transactions, can have significant consequences. 

Such attacks can be prevented by utilizing practices that ensure that multiple forms of validation (especially one that is out-of-band) are in place. While email has become an essential communication tool, a single point of contact allows for greater risk when it is compromised. In some industries, such as those in the financial sector, it is not uncommon to transfer large sums of money, such as the amounts requested in this case. Thus, the amount itself may not raise an eyebrow. Nonetheless, it is recommended that protocols be implemented and followed that could help to eliminate compliance with fraudulent requests.

Education is a key piece of the puzzle as well. Employee training around phishing attacks, typo-squatting and general awareness of email security attacks goes a long way. Updated SPF records can combat true spoofing attempts, but for phishing attempts such as typo-squatting, vigilance remains a strong defense. 

At Websense Security Labs, we are constantly on the lookout for attack trends such as these across our customer base, and use the information gathered to shore up our defenses for all our customers.

Primary contributor: Cristina Houle

Other contributors: Jose Barajas, Rajiv Motwani with inputs from Ran Mosessco and Heather Campbell

photo credit:https://www.flickr.com/photos/wonderlane/

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.