November 17, 2016 PHISHING

Spear Phishing, Part 1

One of the dangerous issues we currently face with spam emails is that of spear phishing – a type of phishing spam email targeted at the recipient.  While most spam deploy a shotgun approach (send billions of emails and see what sticks), spear phishing attacks are specifically aimed the recipient, requiring hackers to do homework on the targeted victim.  It is by no means random.  If their efforts are to be handsomely rewarded, they must target Executive and C levels, whereby a click on the wrong email can inflict serious damage.  These emails are usually made to appear as though they are coming from one C level, to either another C level or someone else with authority to act upon the request.

Most of our clients are financial institutions (banks and CUs), and as such, a frequent phishing attempt we see in this particular sector is an email appearing to originate from the CEO.  The request likely to be to execute a wire transfer, with the intended target being the CFO, or the person in the bank who oversees such wires.

To be convincing, hackers need to emulate as much of the CEO as possible which, at first glance, may seem a daunting task.  Unfortunately, given how we are all far too eager to share as much of ourselves as possible these days, through various social media platforms, it isn’t as impossible a task as it might appear. Hackers can quickly find out the name of the CEO, they know the address of the business and the main phone number; thus crafting a false signature isn’t all that difficult.  If the recipient has never received an email from the CEO before, he/she may well fall into the trap.

The second step is to find out who’s doing the wires.   That’s why the CFO might be the target here; because he has the authority to forward that email and ask for the wire to be executed.  However, we’ve also seen such emails directly targeting the employee who can run the wire.  In such instances, it means hackers have invested a little more time researching the company, perhaps through connections on Linkedin, who knows.  However they went about it, they now have the information they need, and placed a bullseye on that person.

What the SMTP protocol specifies and doesn’t specify


To understand how this could be technically possible, we first need to understand how email works, and what the SMTP protocol specifies and doesn’t specify (SMTP stands for Simple Mail Transfer Protocol and is the protocol used on the internet to send emails).  When SMTP was devised about 40 years ago, security wasn’t at all a concern.  Therefore, the creators of the protocol simply set out to model electronic communications in the image of physical mail.   When we write a letter, we have an envelope and a page where we compose the ‘body’ of our letter.  On the envelope, we write the name of the recipient, with the actual address we want it to go to.  We then pen our own name and address as the sender, so if the letter cannot be delivered, it is returned to us.

On the inside, however, we do not replicate all this.  Depending on the person to whom we’re writing, we may say “Dear Larry”, or “Hello son”, or something to that effect.  When we’re done, we end by signing the letter.  NOTHING says we _have_ to use our name.  We could be signing “Dad”; or “Pierluigi”, or use a nickname.

The SMTP protocol accounts for this and allows it in electronic format.  An email is comprised of 2 parts – the envelope and the body.  Users who never deal with email scanning, never see the envelope. Your email server behaves like JARVIS, opens the “letter” for you, discards the envelope.  So you, as a user, most likely are unawares this part of the email even exists.  I personally know I didn’t, that is, before I started dealing with spam and malware.

What you receive in your inbox is what we call the body of the email, which is the electronic equivalent of the actual physical letter of old times.  The body is, in turn, divided into 3 areas:-

  •   Headers
  •   Actual body
  •   Attachments

We all know what attachments are.  We can easily understand which part is the ‘body’.  The headers contain a few, well specified, fields, the following being relevant to our current discussion:-

  •   From:
  •   To:
  •   Subject:
  •   Reply-to:

The From:, To:, and Subject: are those that Outlook shows you at the top of the email


The From:, To:, and Subject: are those that Outlook shows you at the top of the email.  NONE of these fields is mandatory.  The reason why your email server sent that email to _you_ and not to someone else is because of what was written in the envelope; and not because of the To: field in the headers of the body.

This also means that these fields can be entirely different from those in the envelope.  And that’s where the phishing trick comes into play.  You as a user only see the From: and To:.  Therefore, if I’m a hacker, I can write the following into the email:-

To: (Luca Maestri is the CFO of Apple)

If Mr Maestri isn’t careful, he’ll think the email originates from Mr.Cook and will execute the order.  However, if we analyze the envelope logged into the server, we will likely find:-

  •   The originating IP of the email does not belong to Apple
  •   The server sending the email (identified by something called “EHLO) isn’t Apple’s
  •   The sender in the envelope may or may not say, and most likely it does not

In our second and concluding part on Friday, we’ll share how one of our clients experienced Spear Phishing directly, and we went about to resolve the issue.