Not unlike any other threat analyst, Marc Laliberte's email inbox fills up minute by minute. Some of which has made its way past the spam filter. The WatchGuard employee decided to finally act upon a certain phishing attempt in hopes of teaching the bad guys a lesson.
Spear phishing is a type of phishing attack in which the perpetrator customizes their attack to a particular individual or group of individuals. The attacker gathers information on the victim and then tailors the attack to be more likely to fool the target. The would-be attack arrived as an email appearing to come from the finance employee’s manager, requesting an urgent wire transfer.
Thanks to proper security awareness training, the finance employee recognized that the email’s blatant disregard for the official chain of command and finance protocols was suspicious and alerted the proper personnel.
In most cases, companies don't have the time or resources to follow the bread crumbs back to the perpetrator. But in this case Laliberte set out to learn as much as he could by playing along with the attacker. He responded to the first email and the attacker replied, asking “the finance employee” to contact them via text to a phone number the attacker claimed was the manager’s personal line.
The email’s source address was a seemingly random seven-digit number at gmail.com. The attacker didn’t try to spoof the message to make it appear to come from a WatchGuard account. Instead, the attacker relied on the message’s “From:” header to fool the target. Most mail clients use the “From:” header to display who a message came from, and often the client only shows a sender’s first and last name. In this phishing email, the “From:” header showed the WatchGuard manager’s first and last name, which might convince uninformed employees that the message really did come from that manager.
Laliberte did some digging and found that the phone number provided by the attacker was registered as a landline through Level 3 Communications with an area code matching Jacksonville, Fla. He suspected that the attacker probably was never physically located in Jacksonville, instead, he likely used a forwarding service to send and receive text messages through this number. Attackers commonly leverage the global nature of internet and telephony services to hide the true location of their attacks.
Laliberte texted the attacker using a disposable phone number. A day later, the attacker replied and quickly got to the point, requesting an urgent fund transfer as payment for a shipment of WatchGuard Fireboxes arriving the following week. He kept the attacker on the hook by alluding that a money transfer was possible and asked for further details.
Sign up for CIO Asia eNewsletters.