The anatomy of a spearphishing campaign: 3 keys to stopping one

TrendMicro has discovered and reported on a spearphishing campaign that went after some very high-value targets. What it found could have lessons you can use for protecting your own users. 

Operation Pawn Storm has been targeting government, military and defense contractor individuals since at least 2007. The highly advanced spearphishing campaign attempts to lure its victims by sending files related to conferences and events.

Some features of this campaign that made it especially difficult to defend against:

  • Decoy documents. Attackers sent Excel or Word files pertaining to conferences and events. While the files seemed legitimate, they also contained downloaders (.dll files) that ran silently in the background.
  • Multistage attacks. A string of downloaders and malicious files are installed one at a time until a keylogger is eventually downloaded and sends information back to the attackers. While finding and deleting one of these downloaders could stop the entire chain of events, TrendMicro notes that this method makes detection extremely difficult. It’s hard to spot what comes before or after each downloader.
  • Fake log-in pages. The attackers made pages that looked almost identical to remote log-ins for email and other accounts. While users’ sessions didn’t actually end, a page would pop up asking them to re-enter their usernames and passwords. For example, academi.com became academl.com and log-in.osce.org became log-in-osce.org.

Spearphishing is hard to find, harder to stop

These attacks focused on government agencies and contractors, but spearphishers don’t limit themselves to the highest-level targets. Every organization has valuable data, and the higher a target is in the company, the more access they’ll have to that information. Going after these targets only makes sense.

Here are three keys to help protect your company against spearphishing attacks.

1. Give executives special attention.

Consider a one-for-one rule: If you’re going to have access to the most sensitive information, you’re going to have to have special training to address phishing threats. If you sell executives on the idea that the training is needed as part of their elite status, they’re going to be more likely to buy-in, attend and even pay attention.

2. Isolate suspicious files.

Services that scan incoming files and attachments for malicious downloaders could’ve helped stop these attacks. No matter how much you warn them of the hidden threats, users aren’t likely to suspect that a Word or Excel doc contains anything harmful. An automated solution is more likely to pick up on suspicious activity.

3. Examine domain names carefully.

Of all the methods of preventing spearphishing, this is the least likely to find attacks. But if users are redirected to a different page, tell them to examine the URL to see if it’s actually going to the right source … for instance, ebay v. eebay.

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy