Tax season is a hectic time of year for not only organizations but their employees.  This year attackers are looking to take advantage of this turbulence with a simple social engineering inquiry that could land them a gold mine of personal and financial information.  It turns out all they have to do is ask.

The Attack

Utilizing publicly available information, attackers are employing a deceptively simple method to target employee W-2 information from organizations throughout the United States by spoofing the email address of high-ranking officers in a company.  An example of this technique which is crafted to look like an email from an organization’s CEO. …No fancy code, no port scans, no reconnaissance.  The deception, an email that appears to come from the CEO, is accomplished using software that allows the attacker to falsify the origin of an e-mail.  This simple message can set an organization on a path towards full disclosure of Personally Identifiable Information (PII), if proper data handling procedures are not followed.

How it Works

This exploit takes advantage of a common trend the security industry has observed over the past few years.  Nearly 1 in 4 people open phishing e-mails (with over 1-in-10 actually interacting with attachments).  For those who are unclear on why this is considered high risk behavior, phishing e-mails with attachments are the most common delivery method for malware.  Over the last two years, more than two-thirds of cyber-espionage cases have involved some form of targeted phishing e-mail campaign1.  These campaigns can be a very effective method when combined with just a little organizational knowledge.

In most situations attackers can use publicly accessible sites (often the organizations own website) to compile information on the most influential members of an organization and ascertain what format the company e-mail address is in.  Once this information is collected, the attacker will then use specialized software to “spoof” the identity of someone high within the organization, usually a C-Level employee who has the authority to give orders and request information with little suspicion. Then, utilizing a program that allows the attacker to mask his/her e-mail address he/she will craft an e-mail that appears to be from the CEO.  This e-mail is often to another member of the organization including a seemingly harmless request for information.  Once the information is compiled the employee on the receiving end of the request sends the information directly to the attacker in the form of a direct-reply to the spoofed email and the PII is compromised.

Preventative Measures

The best way to mitigate threats of this nature is to execute user awareness training at all levels.  This training should aim to ensure users know the indicators of phishing e-mails, the dangers associated with phishing attacks, and how to appropriately handle/report suspicious e-mails.   Organizational data handling procedures should be documented and enforced to ensure that information of this nature cannot exit the organization without proper vetting and approval.  Consider installing e-mail protection appliances that can automatically help identify and mitigate threats of this nature.  Contact your security advisor to discuss the technologies and procedures that are right for your organization, or contact HALOCK for more information.

1 2015 Verizon Data Breach Investigations Report

 

By Todd Hacke