Businesses have been put on alert following the discovery of a new personalized phishing scam that attempts to trick users into installing malware on their company’s computers. These new personalized phishing scam emails are primarily being used to spread CryptoWall ransomware, although that is far from the only payload delivered.
New Personalized Phishing Scam Delivers Wide Range of Malware
The new scam is also being used to deliver the Arsnif/RecoLoad POS reconnaissance Trojan to organizations in the retail and hospitality industries, as well as the Ursnif ISFB banking Trojan.
The current attack does not target all employees. Instead it is used to try to install malware on the computers of users with elevated network privileges such as senior executives, CFO’s, senior vice presidents, CEO’s, heads of finance, and company directors. These individuals not only have access to a far greater range of data, they are also likely to have access to corporate bank accounts.
If the payload is delivered it can result in POS systems being infected, access to bank accounts being gained, as well as widespread data encryption with ransomware. Once single email could cause a considerable amount of damage. The emails are currently being used to target organizations in the financial services, although the retail, manufacturing, healthcare, education, business services, technology, insurance, and energy sectors have also received large volumes of these emails.
What makes this particular phishing campaign stand out is the fact that the emails have not been delivered to random individuals. Many spammers send out phishing emails in the millions in the hope that some individuals will respond. However, this is a personalized phishing scam targeting specific individuals. Those individuals have been researched and the emails include data specific to the target.
Each email refers to the recipient by name and includes their job title, address, and phone number in the body of the email. The subject is specific, the email crafted for a particular industry, and the attached files and links have been named to make them appear genuine. The emails have also been well written and do not contain the spelling and grammar mistakes typical of spam email.
A personalized phishing scam such as this is not usually conducted on such a large scale. Spear phishing emails are usually send to just a handful of individuals, but this personalized phishing scam is being sent to many thousands of people, in particular those in the Unites States, United Kingdom, and Australia.
The data used in the email body could have been harvested from a social media site such as LinkedIn, although the scale of the attack suggests data has been obtained from elsewhere, such as a previous cyberattack on another company such as a supplier or an Internet site. Companies that do not use a robust spam filter such as SpamTitan are particularly at risk.