Menlo Security researchers recently uncovered a highly customized phishing campaign that lifted reams of personally identifiable information (PII) without detection.
The sophisticated spear phishing attack took place at a “well-known enterprise,” Menlo Security said in its report, going undetected by existing security solutions. A close examination of the event by researchers revealed that the attackers performed various checks on the password entered by the victim and their IP address, to determine whether it was a true compromise versus somebody who had figured out the attack. They relied heavily on several key scripts to execute the phishing campaign, and to obtain the victim’s IP address in addition to the victim’s country and city.
The attackers also supported various email providers—and in fact served custom pages based on the email domain or the mark. For example, a victim whose email address was john.doe@gmail.com would be served a page that looked like a Gmail login page.
Once in, the attackers exfiltrated the victim’s personally identifiable information (PII) to an attacker controlled account.
“Credential theft via increasingly sophisticated spear phishing attacks is dangerous to the enterprise,” said Poornima DeBolle, chief product officer and co-founder of Menlo Security. “Existing email security products will have a difficult time detecting these attacks using the usual good versus bad methods. Once an attacker obtains an employee’s credentials, they have the keys to your kingdom.”
The spear phishing vulnerabilities stem from legacy email security solutions, including sandbox-based anti-phishing products, being largely based on reputation; that is, whether an email link is known to be “good” or “bad.” A link’s reputation is determined via third-party data feeds, or internally by way of large-scale email traffic and data analysis.
In the case of spear phishing attacks, which target specific individuals within an organization, the email link is usually unique, as is the target user, hence there is no third-party reputation data available, nor is there enough data to analyze internally to make an accurate determination. If the determination is incorrect, users are sent directly to a web site where credentials can be stolen or malware can be downloaded to the user’s device.