The Phishie Awards: (Dis)Honoring The Best Of The Worst Phishing Attacks
From the costly to the clever to the just plain creepy, here are the recent phishing campaigns that have earned our reluctant recognition.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt2839ddaab25b9dc2/64f0db91ddab7a84e6285b78/PoolShark.jpg?width=700&auto=webp&quality=80&disable=upscale)
Phony Breach Notifications
After a phishing attack resulted in the breach at Anthem, other opportunistic criminals took advantage of the unfortunate situation, victimizing some breach victims a second time.
Knowing that people would be on the lookout for breach notifications, they sent out this message:
Users who clicked to sign up for credit protection received something much less helpful.
(Message courtesy of KnowBe4)
Funeral Scams
This category of phishing attacks is "one of the slimiest," says Stu Sjouwerman, CEO of KnowBe4, "as this targets a grief-stricken person and exploits the sudden death of a friend or family."
Likely targets can be gleaned from social networks and obituary listings, and targeted messages can suggest making donations in the deceased's memory or include invitations to memorial services.
(Message courtesy of KnowBe4)
PacMan Ransomware
In March 2014, the operators of the PacMan ransomware distributed their nasty code to a very, very narrow audience: Danish chiropractors.
As researchers at CSIS reported, the phishing message, written in "flawless Danish," claimed to come from an individual suffering from neck and back woes who had just moved into the area and was looking for a new chiropractor.
The phishermen enlisted the help of both malicious files and cloud services in this attack. The message included links to Dropbox files the sender said were MRI and CAT scan image files, but were in fact the PacMan ransomware.
RSA breach
There are still unanswered questions about the 2011 breach at security company RSA that exposed information the company said could "reduce the effectiveness" of RSA's popular SecurID two-factor authentication mechanism. What remains a mystery is whether the source code or the cryptographic seed values were compromised. The company has remained mum on that point.
What they were quite open about, though, was that breach began with a phishing message -- one so convincing that employees at a security company actually retrieved it from their "Junk" folders.
The email subject heading said "2011 Recruitment Plan," and included a malicious Excel file that installed a backdoor via an Adobe Flash vulnerability.
BEC, Version 2
More recently, Jackson explains, BEC attacks have started targeting smaller organizations, impersonating CEOs, and "leveraging that personal relationship, saying 'hey I need you to do me a favor quick.'"
They're going for smaller takes -- in the $5,000 to $20,000 range -- although they may hit the same organization multiple times. Sometimes they'll bring up the idea of a wire transfer quickly, but they won't get all the details right away. They begin a conversation with their mark. Perhaps saying Are you in the office? I'm on the road and need you to handle something ASAP! and tacking on a "sent from my iPhone" to make it more convincing.
"They've gotten good at creating that sense of urgency and making you feel confident that you are doing the right thing," says Jackson. "Once they think they've got you on the hook, they'll give you those bank details."
One of the intriguing things about BEC attacks, says Jackson, is that targets can actually help -- with the proper guidance of security professionals -- by engaging with their attackers, instead of ignoring them. Pretending to believe them, and obtaining their bank details can be of great use to law enforcement.
"Now we have to interact with those criminals," he says.
Sjouwerman and the staff at KnowBe4 know all about this, because one of these second-generation BEC attackers actually took aim at them.
The BEC phishing message was sent to the company's financial controller, and appeared to come from their CTO, simply asking "I need you to take care of a wire transfer for me today. What is required for you to process?" Fortunately, the financial controller recognized the message for what it was and reported it.
Instead of ignoring the message, KnowBe4 decided to respond. Their would-be attackers requested $19,860 and sent banking information to accept the wire transfer. Read more about how they recognized, responded and phished back the attacker, here.
You invest in the slickest, smartest, security gear. The latest in threat intelligence, behavior analysis, and every other cutting-edge tech that widened your eyes on the trade show floor. It's excellent, exciting, expensive...and useless against a top-notch social engineer.
Okay, that might be a bit of an overstatement, but there are plenty of examples when social engineering bested the best security technology -- to sack Troy with a wooden horse or to steal diamonds with a charming smile.
These days, the social engineer's favorite tool isn't the smile; it's the humble phishing message.
It's a very adaptable piece of kit. It can deliver any manner of malicious payloads, as attachments, embedded objects, or links. It can be customized to lure in any kind of game -- from John Q. Public to John Q. White House Ambassador. It can be used as part of attacks to steal data, steal money, or steal secrets.
Adaptable and successful. Take a peak behind some of the biggest breaches and costliest attacks and you may see a phishing message at the root of it.
So, with some help from experts at KnowBe4 and PhishLabs, we've decided to recognize some of the most intriguing examples of phishing in recent history. The clever, the costly, the just plain creepy.
Read on to see which attack campaigns and categories earn the dubious honor of winning one of the coveted Phishie Awards.
Anthem Healthcare
Last February, Anthem Healthcare reported a massive data breach that exposed the personal records of 80 million patients. Forensic investigators and security researchers believe an advanced persistent threat group was behind the attack, and that it all started with spearphishing.
Symantec researchers have linked it to "well-resourced cyberespionage group" Black Vine. Although the group more typically uses watering-hole attacks, Symantec reported that they used a different tactic in Anthem's case -- spearphishing.
The attackers delivered custom data-stealing malware "disguised using Citrix and Juniper lures, indicating that the initial attack may have been aimed at Anthem's technical staff."
Anthem Healthcare
Last February, Anthem Healthcare reported a massive data breach that exposed the personal records of 80 million patients. Forensic investigators and security researchers believe an advanced persistent threat group was behind the attack, and that it all started with spearphishing.
Symantec researchers have linked it to "well-resourced cyberespionage group" Black Vine. Although the group more typically uses watering-hole attacks, Symantec reported that they used a different tactic in Anthem's case -- spearphishing.
The attackers delivered custom data-stealing malware "disguised using Citrix and Juniper lures, indicating that the initial attack may have been aimed at Anthem's technical staff."
Phony Breach Notifications
After a phishing attack resulted in the breach at Anthem, other opportunistic criminals took advantage of the unfortunate situation, victimizing some breach victims a second time.
Knowing that people would be on the lookout for breach notifications, they sent out this message:
Users who clicked to sign up for credit protection received something much less helpful.
(Message courtesy of KnowBe4)
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024