These days, the art of sending personalized e-mails designed to trick users into divulging login credentials or clicking on malicious links (also known as “spear phishing”), has been limited to espionage campaigns carried out by state-sponsored groups. The resources needed for researching the names, addresses, and industries of large numbers of individuals were worth it when targeting a given organization that had blueprints or some other specific piece of data prized by the hacker. Though, there is no need to go through the trouble of spreading crypto ransomware or banking trojans to the masses when a single scam e-mail could do the same.
However, since the beginning of 2016, that truism has begun to unravel. The researchers at the security firm Proofpoint said that a single threat actor, dubbed TA530, has been targeting executives and other high-level employees in an attempt to trick them into installing an assortment of malware, including the CryptoWall ransomware program which encrypts valuable data and demands a hefty fee to undo the damage.
Some of the other malware distributed in the campaign include the Ursnif ISFB banking trojan and the Ursnif/RecoLoad point of sale reconnaissance trojan targeting businesses in the retail and hospitality industries. Usually, targeted executives have titles of chief financial officer, head of finance, senior vice president, and director.
In a blog post from Tuesday researchers say:
“TA530 customizes the e-mail to each target by specifying the target’s name, job title, phone number, and company name in the email body, subject, and attachment names. On several occasions, we verified that these details are correct for the intended victim. While we do not know for sure the source of these details, they frequently appear on public websites, such as LinkedIn or the company’s own website. The customization doesn’t end with the lure; the malware used in the campaigns is also targeted by region and vertical.
While these campaigns aren’t approaching the size of, for example, Dridex and Locky blasts that go after very large numbers of random recipients, TA530 targets hundreds, thousands, or even tens of thousands of recipients in US, UK, and Australian organizations. These attacks are quite large relative to other selective or spear phishing campaigns.
We observed TA530 at times targeting only a specific and narrow vertical, such as Retail and Hospitality. At other times, the campaigns appear more widespread.”
Targeting high-ranking executives and managers has distinct advantages to hackers pushing this type of malware. Often, people on such positions prefer to have access to their company’s online bank accounts and finance systems, which makes them prime victims for banking or point-of-sale trojans. Besides, the data stored on their computers is usually crucial to their company’s success, which makes it more likely that they will pay ransoms when the data is encrypted.
“Based on what we have seen in these examples from TA530, we expect this actor to continue to use personalization and to diversify payloads and delivery methods,” the blog post concludes.
“The personalization of email messages is not new, but this actor seems to have incorporated and automated a high level of personalization, previously not seen at this scale, in their spam campaigns.”