Aggressive social engineering campaign uncovered in Europe
Recent attacks on multiple French-based firms have exposed an aggressive social engineering campaign that has resulted in large amounts of stolen money
By Steve Ragan , Staff Writer
September 04, 2013 — CSO —
Earlier this year, Symantec discovered an aggressive social engineering campaign targeting a limited set of multi-national firms in Europe. The attacks were by the book, employing classic techniques, eventually netting the criminals vast sums of stolen funds for their efforts.
In April, an administrative assistant working in a French-based multi-national firm got an email that referenced an invoice hosted in a filesharing service (such as Dropbox). A few moments later, a person posing as a senior executive within the same firm — speaking flawless French — spoke with authority and requested that she process the invoice referenced in the email.
"Over the last few months, we've seen hackers use more multi-staged social engineering attacks to penetrate various organizations. [This recent] attack is a prime example of how one such group used several principles of influence to get the target to take an action they shouldn't have," said Chris Hadnagy of Social-Engineer, Inc., in an email to CSO.
The administrative assistant processed the invoice without question, unaware that the file was actually a Remote Access Trojan (RAT) configured to communicate with a server in the Ukraine. Once installed, the attacker used the RAT to take control over the assistant's workstation, logging keystrokes, monitoring the desktop, and exfiltrating files for later examination.
"This call relies on the principle of influence called authority. The caller pretends to be a VP of the company and in perfect French provides messaging that is consistent with the pretext. This allows the employee to feel comfortable clicking the attachment," Hadnagy added.
"There are a few lessons we can learn from this example. First, by understanding how to perfectly apply a few principles of authority, the attackers were able to get employees to take actions that damaged the company. Second, there were no threats or manipulation used in this attack; fear was not the motivator. Everything appeared to be done professionally; fitting within the pretext used — therefore the employees were unaware of any danger."
In a blog post, Symantec said that these tactics (using an email followed by a phone call in perfect French) are highly unusual, and a sign of an aggressive social engineering campaign. According to their investigations, this isn't the first time such an attack has happened. In fact, such attacks are still taking place in Europe.
There's evidence pointing to the fact that this social engineering campaign stared in February, but the phone calls were added to the mix in April and are consistently used by the attacker(s) to this day. In some cases, a phone call is placed before the email is sent, and in other cases, the call is made before and after the email is sent.