The attacker asked for a wire transfer of $20,000 to a man he claimed was in New York. Some quick research revealed that there were no fraud references related to the provided name. The attacker also sent account and routing numbers for the wire transfer itself. While providing bank account details adds legitimacy to transactions, it also increases the authorities’ ability to track payments in fraud investigations, making it risky for attackers to do. It appeared that the account details provided likely belonged to a compromised account that the attacker could quickly transfer money out of.
At this point, Laliberte had gathered all of the information the attacker would voluntarily share, but still had no clear picture of where he was located. However, the attacker did expect a wire transfer confirmation message. He masked the IP address (as seen below) of a honeypot server behind a URL-shortener and sent it to the attacker disguised as a confirmation link.
184.108.40.206 - - [22/Apr/2016:22:25:06 +0000] "GET /verify HTTP/1.1" 404 194 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 9_3_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13E238 Safari/601.1"
When the attacker visited the link, it redirected him to the honeypot server where Laliberte logged his source IP and browser User-Agent data. The attacker’s source IP was registered to Airtel Networks Limited, a mobile Telco out of Nigeria. The User-Agent data told Laliberte that the attacker was connected to the honeypot using an iPhone running iOS 9.3.1. This confirmed the hypothesis that the attacker was using a forwarding service to receive text messages through the Jacksonville phone number.
Though the attacker was in Nigeria, he used a bank account (TD Bank) that required a permanent US address, meaning the account was either compromised or the attacker had an accomplice in the US (often called a mule) who could retrieve any transferred money. Laliberte contacted TD Bank to allow them to begin an investigation on attempted fraud by someone with access to the provided account.
This spear phishing attempt makes it clear just how big of a problem these attacks are today. No spear phishing protection is perfect. Even with technological solutions like DMARC or S/MIME, phishing messages will still slip through and reach employees, he said. It is critical that IT professionals train their users on how to spot and report attempted phishing attacks. With the growth of spear phishing, organizations need to update their training programs to help employees learn how to spot these more convincing, targeted email scams.
Sign up for CIO Asia eNewsletters.