|
Social engineering proved effective at enticing bank employees to click a link in an email that pulled a keylogger onto 60 machines.
The phishing scheme that targeted an unnamed midsized bank arrived in employee inboxes personally addressed, without spelling or grammar errors, and claimed to be from a journalist.
Scott Berinato at CSO Magazine posted about the very effective phishing attack that the bank thwarted.
The post included the text of the email, with bank details redacted:
"Dear ____," the e-mail started, using the IT staffer's first name. "I am a reporter for Finance News doing a follow up story on the recent leak of customer records from [the bank's name]. I saw your name come up in the article from Central News and would like to interview you for a follow-up piece."
After that, the e-mail provided what appeared to be a link to the Central News story-a URL that included the bank's name in its characters-and ended with, "If you have time I would greatly appreciate an opportunity to further discuss the details of the above article. Regards, Gordon Reily."
The link included in the email led to a site in (surprise!) China.
Clicking the link brought a Trojan file onto the victim's system, and the keylogger in the file began recording keystrokes.
That activity led to the keylogger's discovery. After isolating the machines that had visited the email link, bank investigators noticed a file getting larger on those systems.
The file held their keystrokes, and ideally would have eventually picked up a login for accessing accounts.
One aspect of the incident received only a passing mention.
The attacker had legitimate email addresses, and was able to send the phishes directly to people while addressing them by first names.
About 200 people received the phish, so somehow the attacker obtained a list of emails and names before starting the scam.
"Everything about the e-mail drove the employee toward clicking on the link without pause," Berinato wrote. "In short, it was a clever piece of social engineering."
It also means people need to be exceptionally skeptical of incoming messages.
While it's the nature of IT types to be suspicious, the typical end-user is not that way.
Public reporting of incidents like these helps educate potential victims as to the dangers and sophistication of phishing scams.
About
the Author:
David Utter is a business and technology writer with WebProNews.
|
|
,
Inc. 2549 Richmond Rd. Lexington KY, 40509
