Sphear Phishing Malware Case Study

Issue

A multi-national manufacturing organization named XYZ*, having a journey of six decades in roofing interior and exterior building products and solutions became a victim of spear-phishing email cyber-attack. The attacker created confusion and waited for the right opportunity to divert funds to his bank account by tricking the organization’s sales employee asking him to update the organization’s trusted vendor bank account details.

XYZ* being a multinational organization, has many worldwide vendors supplying various types of building material to them. Basically, the vendor need to issue the bill post-delivery of goods. However, in spite of being a multinational organization, the organization policy did not mention to whom the vendor should mail the details of the bill. Generally, as per vendor understanding, they usually share the bill and bank account details with the accounts department of the organization.

The organization’s sales employee received an email, requesting them to update one of their vendor’s bank account details. No update of the same was prior confirmed with any organization’s employee regarding the update. The sales employee forwarded the same to the concerned accounts department employee for further action. While going through the email, the accounts employee noticed something unusual in the email, which raised suspicion and hence called for suspicious activity investigation. Due to this raised alarm, neither the actual organization’s vendor account nor the organization’s systems got compromised.

Also, it was identified during investigation that the organization neither had proper information security management policies as defined in ISO27001, nor had any proper guideline for information security risk treatment, before consulting Shashwat Solutions, which is absolutely essential to be defined in the interests of organization’s information security management systems.

Hence after this requested investigation, Shashwat Solutions guided the organization in getting ISO27001 certified, where it provided consultation to the organization in forming and implementing the policies as per ISO 27001 guide lines. The above issue clearly highlights the case of a spear-phishing attack, where the attacker sent spoofed organization’s vendor’s email to organization’s sales employee, which looked like it originates from the organization’s vendor’s legitimate email address. The attacker expected quick action from the organization’s accounts employee to update the bank account details through organization’s sales team based on trust. In this way, spear-phishing email is modified by malicious attacker in such a manner using social engineering to specially target vulnerable victims, making it very easy for them to bypass the toughest security measures

Investigation

Upon the organization’s email suspicion investigation request, Shashwat Solutions undertook this investigation case.

As investigation’s first step, we took the organization’s sales employee laptop into custody, who received this phishing mail and forwarded it to accounts employee. During interrogation, it became evident that the sales employee’s intent was neither malicious, nor his laptop was infected and the email is purely a targeted phishing email to confuse and trick target victim organization’s audience dealing with large financial transactions. 

In the second step, we checked the source of email message by shutting down the network and blocking organization’s email communication. In this step, we checked the filters of the cloud based email solutions of the organization, determined the email’s header and footer, authentication results where we found the sender’s IP address. After examining the attacker’s email ‘FROM’ email header, first major red flag was identified that attacker used email impersonation technique by using the exact trusted vendor’s name of the victim organization to display in the ‘FROM’ email header to build recipient’s trust about email’s integrity.

In the third step, a second major red flag was identified, where we noted that only beneficiary name and bank account number was provided, where the salutation and sender’s name was missing. Also, the Email Threat Scanner did not highlight suspicious  most common phishing database subject line but provided warning about email server information. While checking the server’s information protocol, logs and packet movement, it was noticed that  the mail server IP address did not have much activity. Thus, this technique successfully helped the attacker in circumvented DKIM/DMARC mail security filters set by the organization, which was identified after checking the email solutions server log report.

Additionally, while investigating, it was found that the organization’s email filter in firewall end point protection was not configured properly to filter email and mark it spam, based email address server’s IP address. This was determined after reviving the backup archival data server email address IP logs.  

Further, during investigation, it was found that organization’s information systems security policies were unclear. In addition, no proper documentation for assessing sensitive security incidents was present. Besides that, no updated information security awareness employee trainings were conducted on timely basis which could have helped to prevent the phishing mail forwarding incidence.       

Thus, during the investigation phase, many red flags were identified and reported, which proved lack of ISMS compliance for managing organization’s sensitive data

Analysis

After understanding the incidence, organization’s business needs and expectations of the organisation’s interested parties, we suggested the  organization’s management to demonstrate commitment in ensuring resources needed for information security be made available, integrating ISMS requirements, establish information security policy and promote ISMS continual improvement into the organization’s process. Subsequently, we consulted the organization in forming information security policy, action plans to address risk and opportunities planning and improvement such as taking corrective action.

As a part of corrective action, we recommended the organization’s IT department to change the email solution vendor and guided them in configuring accurate email filters. Also, we guided them in maintaining their archival backup security and set log monitoring function to record the ongoing activity. Additionally, we suggested them to get information security and firewall training from our consultancy for employees having access to external emails.

Moreover, we suggested them to block unwanted open ports, create timely updated information security awareness and report any suspicious email activity instantaneously without forwarding further or before taking any action on it.      

The solution provided by us will help the organization to successfully become ISO27001 compliant. It will provide the information security policy framework, which will drive organization to committed action, protect its information systems and create action plan to address risks. This activity will help the organization in performing information security risk assessment and timely resolve information security risks. Further, this activity will help the organization to produce supportive evidences during ISO27001 Audit, Management Review on ISMS and identify the improvements such as taking corrective action in case of security incidence

Client Testimonials

Know  what our customers have to say about us.

Our Clients