The Unhappy Boss
Large organizations have an added pressure of having so much organizational information publicly available on the Internet. If an attacker has performed due diligence during the planning phase it would be possible they could find organizational information such as employees, roles, and reporting structures – this is especially true for larger companies. This information can be highly valuable for adversaries since not only does it provide potential targets, but also names of potential senders to spoof.
A common strategy of attackers is to not only identify personnel associated with the target but to also identify the relationships between those personnel as well as their interests and corporate culture. If the phisher can craft a message that makes it seem like it is coming from a victim’s trusted colleague, or better yet, the victim’s boss, then the attacker gains an advantage by spoofing a trusted entity.
The message below is an example of a phishing campaign that leverages this technique.
This message exploited a relationship between manager and employee by faking a message to the manager, from the training department and forwarded on to the employee. This simple forward and one line message from the “manager” aids the authenticity and urgency of the malicious message. The attacker’s hope is that the employee will be panicked enough to follow the instructions without bothering to validate the sender or the training link.
This ruse, coupled with a cleverly disguised hyperlink redirecting to a payload is a low risk / high reward attack strategy. If crafted correctly, a training document can be weaponized, hosted, downloaded, and executed and the victim may be none the wiser.
These are the types of scenarios that keep security managers up at night. As often as we like to blame the user community for such compromises, keep in mind that user awareness is only one of multiple security controls such as spam filters, web proxies, and administrative controls, that have failed. With that said, a sophisticated user awareness program is a great start but the entire attack chain also needs to be reviewed and tested with weaknesses being addressed accordingly. It is true that the failure rate of users is higher than that of other controls, but organizations need to maintain a defense in depth strategy and leverage compensating controls whenever possible.
Being aware of organizational information that is publicly available on the Internet is a worthwhile practice – but implementing and regularly testing technical controls such as proxy filters and sandboxing is an effort that will pay dividends in phishing protection. If your organization depends solely on user-awareness, then you can almost guarantee that your organization will eventually be victim to a phishing attack.