Companies have been warned to remain diligent following the identification of a new personalized phishing scam that tries to fool users into downloading malware on their company’s computers. These new personalized phishing campaigns are primarily being used to share CryptoWall ransomware.
Arsnif/RecoLoad POS reconnaissance Trojan si the software that is being used to target organizations in the retail and hospitality industries, as well as the Ursnif ISFB banking Trojan.
The current campaign does not target all staff. Instead it is used to try to install malware on the computers of users with elevated network privileges including as senior executives, CFO’s, senior vice presidents, CEO’s, heads of finance, and company directors. These staff members not only have access more data, they are also likely to have access to corporate bank accounts.
If the payload is sent it can lead to POS systems being infected, access to bank accounts being obtained, as well as widespread data encryption with ransomware. A single email could cause a considerable amount of damage. The emails are currently being implemented to target organizations in the financial services, although the retail, manufacturing, healthcare, education, business services, technology, insurance, and energy sectors have also received these phishing emails.
The emails have not been delivered to random individuals, something that is unusual in phishing campaigns. Many spammers share phishing emails in the millions in the hope that some people will respond. However, this is a personalized phishing scam targeting specific people. Those people have been researched and the emails include data specific to that person.
Each email corresponds with the recipient using their name and includes their job title, address, and phone number in the body of the email. The subject is specific, the email crafted for a specific industry, and the attached files and links have been labelled to make them appear genuine. The emails have also been well articulated and do not include the spelling and grammar mistakes typical of spam email.
A personalized phishing scam like this is not usually carried out on such a large scale. Spear phishing emails are normally sent to just a small number of individuals, but this personalized phishing scam is being shared with many thousands of people, in particular those in the Unites States, United Kingdom, and Australia.
The data included in the email body could have been gathered from a social media site such as LinkedIn, although the scale of the attack suggests data has been taken from elsewhere, such as a previous cyberattack on another company such as a supplier or an online portal. Companies that do not implement a robust spam filter will be in danger.