Canadian small and medium-sized businesses are being targeted with spear phishing attacks from a gang trying to get employees to reveal corporate banking passwords and two-factor authentications, IBM researchers said today.
“The goal of this targeted phishing attack is to take the account over and transfer money to mule accounts that the criminals control,” researchers said in a blog detailing the scheme.
The probes are launched at very specific people in organizations who deal with finances through intricate emails made to appear legitimate from a bank. These messages include correct bank logos and accurate information and included a PDF, which hides malicious URL links, keywords and brand abuse from detection software that would pick them up had they been included in the body of the email.
The attack is slick: Criminals have registered a few domains and created email addresses with bank’s name and appeared to represent the bank’s customer service, security or technology departments, and appear to come from actual employees of the victim’s bank.
The email says victims need to re-synchronize their security token devices used for multifactor authentication, warning that their existing device for payment processing can’t be used until it is synched again. “This one was not especially ingenious,” says the report, because it is a common tactic. “That fake synchronization is designed to include the process of generating one-time passwords with hardware tokens typically issued to business banking customers. The attackers also use another common trick: Making the message request appear urgent by warning victims to open the PDF promptly for instructions to go to a (malicious) Web page to prevent canceled payments and transaction delays.
“The content of the PDF changed slightly in some cases to address a specific victim’s role,” the researchers found, “another indication that the attackers had prior knowledge of their selected recipients. Some cases addressed a business banking user, for example, while others addressed an administrator with service access and additional users.”
The infrastructure hosting the attack is based in Ukraine, says the IBM researchers, sites that hosted a number of other attacks that also targeted Canadian banks. This infrastructure also hosts attacks at consumers, who are promised a refund that can only be deposited directly into their bank account. They are directed to a main page that prompts them to select their banking institution before redirecting them to the corresponding attack page. Victims then are asked for login credentials and account security elements typically used for password resets. Then the victims get a note that the refund transfer could not be completed or that it had expired.
“Security training and incident response planning can go a long way toward helping to protect the business and recovering stolen funds in case of this type of compromise,” says IBM. This means impressing on staff that email requests for changes in procedures should be looked at skeptically.