Earlier this year, Symantec discovered an aggressive social engineering campaign targeting a limited set of multi-national firms in Europe. The attacks were by the book, employing classic techniques, eventually netting the criminals vast sums of stolen funds for their efforts.
In April, an administrative assistant working in a French-based multi-national firm got an email that referenced an invoice hosted in a filesharing service (such as Dropbox). A few moments later, a person posing as a senior executive within the same firm — speaking flawless French — spoke with authority and requested that she process the invoice referenced in the email.
"Over the last few months, we've seen hackers use more multi-staged social engineering attacks to penetrate various organizations. [This recent] attack is a prime example of how one such group used several principles of influence to get the target to take an action they shouldn't have," said Chris Hadnagy of Social-Engineer, Inc., in an email to CSO.
The administrative assistant processed the invoice without question, unaware that the file was actually a Remote Access Trojan (RAT) configured to communicate with a server in the Ukraine. Once installed, the attacker used the RAT to take control over the assistant's workstation, logging keystrokes, monitoring the desktop, and exfiltrating files for later examination.
"This call relies on the principle of influence called authority. The caller pretends to be a VP of the company and in perfect French provides messaging that is consistent with the pretext. This allows the employee to feel comfortable clicking the attachment," Hadnagy added.
"There are a few lessons we can learn from this example. First, by understanding how to perfectly apply a few principles of authority, the attackers were able to get employees to take actions that damaged the company. Second, there were no threats or manipulation used in this attack; fear was not the motivator. Everything appeared to be done professionally; fitting within the pretext used — therefore the employees were unaware of any danger."
In a blog post, Symantec said that these tactics (using an email followed by a phone call in perfect French) are highly unusual, and a sign of an aggressive social engineering campaign. According to their investigations, this isn't the first time such an attack has happened. In fact, such attacks are still taking place in Europe.
There's evidence pointing to the fact that this social engineering campaign stared in February, but the phone calls were added to the mix in April and are consistently used by the attacker(s) to this day. In some cases, a phone call is placed before the email is sent, and in other cases, the call is made before and after the email is sent.
"The attacker is well prepared and has obviously obtained the email address and phone number of the victim prior to the attack. The victims of these attacks generally tend to be accountants or employees working within the financial department of these organizations. Since handling invoices is something they would do on a regular basis, this lure has the potential to be quite convincing," Symantec explained.
Those behind the attacks appear to be financially motivated, as they focus mainly on those within the organization who deal with invoices and handle financial matters. More often than not, the person targeted is someone who can authorize wire transfers.
In a separate attack, the attacker(s) used the same methods to compromise the target's system. Once that was done, they used the installed RAT to access indentifying information, as well as the organization's disaster recovery plans, bank and telecom provider details, points of contact with both providers, and relevant account data.
Once all of that information was collected, the attacker(s) called the telecom provider and authenticated themselves using the proper methods in order to report a physical disaster — enabling them to request that all of the victim's phones were redirected to numbers controlled by the attacker(s).
Next, they faxed a request to the bank, asking for multiple large-sum transfers offshore. Because such a request required additional security, the bank did as expected and called the number on record to confirm the transfer. The attacker(s) simply confirmed the order, since they controlled the phones, and the money was wired to various accounts.
Another example didn't use malware at all. Instead the attacker(s) impersonated a bank employee and sent an email to another actual employee. In perfect French, the message alerted the employee to the fact that the computer systems were being upgraded soon. The following day, the attacker(s) made a phone call and claimed to be a co-worker. They needed to perform a "test transfer", which the targeted employee was all too happy to do, resulting in stolen funds and yet another successful scam.
The victims in the known attacks so far are French-based firms, from a wide range of markets. The majority of the victims are from the manufacturing industry, followed by food, logistics, furniture, automotive, banking, and medical.
"In most cases, the first victim was an administrative assistant or accountant within the organization. In cases where the initial victim did not have rights to wire funds, the attacker used the victims credentials to identify an employee within the accounting department that had this authority. The attacker then conducted further social engineering activities to compromise that individuals computer," Symantec explained.
Based on subsequent investigations into these attacks, the person(s) behind them are using mobile Wi-Fi connections, making tracking them nearly impossible. In fact, there is evidence that the attacker(s) rarely stayed in one spot while running the campaign, opting instead to move around. This Symantec says, makes those responsible for the crimes "extremely difficult to trace."
These types of attacks can be devastating, as Symantec uncovered, resulting in the loss of not only intellectual property, but impacting the bottom line with the loss of actual cash from the company's coffers.
"[These attacks] show how skillful implementation of the principles of influence can create an environment where your company can be exposed to malicious attacks and not even know it," Hadnagy said.
Avoiding them, he added, will require proper education and security policies.