There's been a worrying development in spear-phishing, with a security company observing a new campaign in which the attacker(s) has been able to scale up and target a much larger group of would-be victims.
Proofpoint says that it has been tracking a threat it has named TA530 since the beginning of the year, which is targeting top-brass execs including vice presidents and directors along with the likes of CFOs.
Spear-phishing refers to the fact that a malicious email is highly targeted to the victim, containing personal details designed to persuade them that it's a genuine message.
Normally that takes a fair bit of work in terms of tailoring the email, but the danger with the new TA530 threat is that it appears to automatically customise each email to include not just the victim's name, but also job title, company name and phone number. Not only this, but it also offers up relevant subject lines and attachment names all designed to lure the victim into making that fatal click which lets malware invade their computer.
While Proofpoint says it doesn't know for sure how the malicious actor is obtaining said details, they are freely available on the web from the company's site or social media sites like LinkedIn.
Apparently the malware payload delivered is also tailored to the region and industry of the specific target – the security firm reckons that TA530 has seen over 300,000 phishing emails sent to date, targeting those in the UK, US and Australia.
Targets have been observed across most industry sectors, although unsurprisingly the prime target is financial services.
Spear-phishing obviously has a greater chance of succeeding than normal blanket phishing, and it's truly a concern if malicious parties are finding ways to effectively make spear attacks easier to implement, and thus crank up the volume.
Phishing in general is becoming an increasing problem to the extent that police in the UK have warned over the matter. As ever, treat any email you receive with a degree of caution, and those with links and attachments should be regarded with an extra serving of suspicion.
As should those with attention-grabbing subject lines about invoices, money being owed, or other potentially panic inducing material.
- We have some anti-phishing tips for you: How to avoid online phishing