Large Scale Spear Phishing Attack on U.S. Credit Unions

PhishingI recently read an interesting Krebs on Security article about a large scale, coordinated spear phishing attack on U.S. Credit Union anti-money laundering officers. The primary goal of this phishing attack was to get the victim to click on a malicious link, which in itself is nothing new or particularly interesting. However, what was interesting was the method the attackers used to get there.

First, they used typical spear phishing tactics, such as customizing their emails to the specific target, and making each email appear to be from a known, trusted contact. But instead of simply putting the malicious link in the email, they instead attached a PDF claiming to be a money laundering/fraud report, which is something the targeted victim handles as part of their job.

The attached PDF itself was not malicious, so no AV scanner would flag it. However, the PDF did include a malicious link. I haven’t seen any specific information about what happens when the link is clicked, but as a security professional, you have to assume it could lead to full system compromise in the worst case.

So why didn’t the attackers simply put the link in the email? The obvious answer is to circumvent legacy email URL rewriting tools, which are not very effective. However, I believe there was more to it than that. I believe they were taking the extra step of embedding the link in a PDF in an effort to gradually build trust with the victims long enough for them to let their guard down to click the link.

If the victim opens a new email and the first thing they see is a link, red flags are flying in their head. All their prior security training is screaming at them to start looking more closely at the email to see if it is legit or not. But if they open an email, and everything looks normal, they will lower their guard. “Oh, it’s yet another fraud report I have to deal with…” When they open the PDF attachment, and THEN see the link they need to click, maybe they have already moved past the being suspicious stage and just want to get it taken care of.

I can’t say for sure that is what the attackers were thinking, but it makes sense to me.

Luckily though, as most phishing emails do, these emails contained lots of grammatical errors, which should raise the suspicion level even higher. High enough that the whole link-in-a-PDF tactic couldn’t neutralize.

The official guidance to these credit union employees (and most computer users in general) is to simply not click links in suspicious emails. But when done right, a malicious email doesn’t look suspicious at all. So what then? This is exactly the reason we built our Remote Browser Isolation solution, Light Point Web. Any Light Point Web user that clicked on one of these malicious links, even if they are embedded in a PDF, would not have been at risk.

Learn more about Remote Browser Isolation

Leave a Reply

Your email address will not be published. Required fields are marked *