Despite the fact that the e-mail was sent to him directly and addressed him by name, the message made the IT staffer suspicious. So he forwarded it to his company\u2019s CSO with a quick note attached: "Can you investigate? We can support." Both are employees at a midsize bank and are forbidden to talk to the press except anonymously. "Dear ____," the e-mail started, using the IT staffer\u2019s first name. "I am a reporter for Finance News doing a follow up story on the recent leak of customer records from [the bank\u2019s name]. I saw your name come up in the article from Central News and would like to interview you for a follow-up piece."After that, the e-mail provided what appeared to be a link to the Central News story\u2014a URL\u00a0that included the bank\u2019s name in its characters\u2014and ended with, "If you have time I would greatly appreciate an opportunity to further discuss the details of the above article. Regards, Gordon Reily." The redacted e-mailIt turns out that the IT staffer was not alone; he was just one of hundreds of employees at the bank who received this personally addressed e-mail, and one of many who forwarded the message to the bank\u2019s CSO.In the parry and thrust of phishing defenses and phishing attacks, this particular e-mail represents a bold move for the bad guys in its level of social engineering sophistication. The scheme borrows on the accepted mores of professional e-mail communication in an attempt to commit fraud.When the CSO studied the e-mail message his colleague received, instead of clicking on the link, he did a Web search on "Gordon Reily bank." Amid very few results, one caught his interest. "Gordon Reily" showed in a link that came from an online discussion board, where someone received precisely the same message, only this person was at a different bank (and that message was customized to include a URL with that bank\u2019s name).The CSO decided this Gordon Reily, reporter for Finance News, wasn\u2019t real. It was a phishing attack."About 60 people here clicked on the link," the CSO says. "Probably 200 got it." He quarantined\u00a0 those machines that had connected to the link. Some quick research indicated the link connected to a website in China. He blacklisted that website at the network firewall. Now, even if someone at his bank clicked on the link, they wouldn\u2019t connect.As the CSO and his team worked on the quarantined machines, they noticed that as they typed, a particular file kept getting larger. They realized then that the machines had downloaded a keylogging bot from the Chinese website that was storing all of their keystrokes in the growing file.The eventual goal of such a targeted attack would be to have a bank employee with deep access to accounts and account information unwittingly log passwords and account information, which the bot would deliver back to the attacker.The CSO says he heard that at least two other banks had been targeted with the same attack, but neither the one he saw on the discussion board online nor the other bank he heard about has been confirmed as a target. The CSO has contacted his local FBI office and antiphishing and antivirus vendors.In evaluating this phishing attack, the CSO admits that it impressed him with its sophistication. First, he says, the grammar and English contained in the e-mail message were impeccable; this was no Nigerian prince asking for help cashing a check. "Just the way it was worded and the fact it addressed you by name puts you off guard," the CSO says. Second, the e-mail was sent directly to individuals at the bank, and addressed each one by name, meaning the person had access to the bank\u2019s e-mail account names. That means the e-mail sender avoided blasting the e-mail and getting his messages caught in spam filters. The attacker also addressed targets personally, which puts people at ease. Third, the guise of a journalist following a story was more than reasonable; messages like these, with links referring to stories, are sent by journalists every day. "It\u2019s personalized. It looks legitimate," the CSO says. Finally, the e-mail referenced the leaking of customer data and suggested that this employee, who was getting this personal message, was cited in a previous story, which would both startle and pique the interest of the e-mail recipient. Everything about the e-mail drove the employee toward\u00a0 clicking on the link without pause. In short, it was a clever piece of social engineering.This CSO\u2019s midsize bank seems to have escaped the phishing attack unscathed, but it\u2019s unknown how many other banks\u2014or individuals\u2014have received this type of e-mail and clicked on the link to the keylogging bot.By Scott Berinato, CSO MagazineFor more information on phishing, read these related articles:\u2022 The ABCs of Phishing and Pharming\u2022 How to Foil a Phish\u2022 After Phishing? Pharming!Keep checking in at our Security Feed for updated news coverage.