New Phishing Attack Uses Fake Journalists to Target Bank Workers

Despite the fact that the e-mail was sent to him directly and addressed him by name, the message made the IT staffer suspicious. So he forwarded it to his company’s CSO with a quick note attached: “Can you investigate? We can support.” Both are employees at a midsize bank and are forbidden to talk to the press except anonymously.

“Dear ____,” the e-mail started, using the IT staffer’s first name. “I am a reporter for Finance News doing a follow up story on the recent leak of customer records from [the bank’s name]. I saw your name come up in the article from Central News and would like to interview you for a follow-up piece.”

After that, the e-mail provided what appeared to be a link to the Central News story—a URL that included the bank’s name in its characters—and ended with, “If you have time I would greatly appreciate an opportunity to further discuss the details of the above article. Regards, Gordon Reily.”

It turns out that the IT staffer was not alone; he was just one of hundreds of employees at the bank who received this personally addressed e-mail, and one of many who forwarded the message to the bank’s CSO.

In the parry and thrust of phishing defenses and phishing attacks, this particular e-mail represents a bold move for the bad guys in its level of social engineering sophistication. The scheme borrows on the accepted mores of professional e-mail communication in an attempt to commit fraud.

When the CSO studied the e-mail message his colleague received, instead of clicking on the link, he did a Web search on “Gordon Reily bank.” Amid very few results, one caught his interest. “Gordon Reily” showed in a link that came from an online discussion board, where someone received precisely the same message, only this person was at a different bank (and that message was customized to include a URL with that bank’s name).

The CSO decided this Gordon Reily, reporter for Finance News, wasn’t real. It was a phishing attack.

“About 60 people here clicked on the link,” the CSO says. “Probably 200 got it.” He quarantined  those machines that had connected to the link. Some quick research indicated the link connected to a website in China. He blacklisted that website at the network firewall. Now, even if someone at his bank clicked on the link, they wouldn’t connect.

As the CSO and his team worked on the quarantined machines, they noticed that as they typed, a particular file kept getting larger. They realized then that the machines had downloaded a keylogging bot from the Chinese website that was storing all of their keystrokes in the growing file.

The eventual goal of such a targeted attack would be to have a bank employee with deep access to accounts and account information unwittingly log passwords and account information, which the bot would deliver back to the attacker.

The CSO says he heard that at least two other banks had been targeted with the same attack, but neither the one he saw on the discussion board online nor the other bank he heard about has been confirmed as a target. The CSO has contacted his local FBI office and antiphishing and antivirus vendors.

In evaluating this phishing attack, the CSO admits that it impressed him with its sophistication.

First, he says, the grammar and English contained in the e-mail message were impeccable; this was no Nigerian prince asking for help cashing a check. “Just the way it was worded and the fact it addressed you by name puts you off guard,” the CSO says.

Second, the e-mail was sent directly to individuals at the bank, and addressed each one by name, meaning the person had access to the bank’s e-mail account names. That means the e-mail sender avoided blasting the e-mail and getting his messages caught in spam filters. The attacker also addressed targets personally, which puts people at ease.

Third, the guise of a journalist following a story was more than reasonable; messages like these, with links referring to stories, are sent by journalists every day. “It’s personalized. It looks legitimate,” the CSO says.

Finally, the e-mail referenced the leaking of customer data and suggested that this employee, who was getting this personal message, was cited in a previous story, which would both startle and pique the interest of the e-mail recipient.

Everything about the e-mail drove the employee toward  clicking on the link without pause. In short, it was a clever piece of social engineering.

This CSO’s midsize bank seems to have escaped the phishing attack unscathed, but it’s unknown how many other banks—or individuals—have received this type of e-mail and clicked on the link to the keylogging bot.

By Scott Berinato, CSO Magazine

For more information on phishing, read these related articles:

• The ABCs of Phishing and Pharming

• How to Foil a Phish

• After Phishing? Pharming!

Keep checking in at our Security Feed for updated news coverage.