publishing date icon
June 9, 2021
read time icon
5 min. read

Big money spear phish campaign on the loose

Author image
Jon Gellin
Junior Threat Analyst
facebook iconLinkedin iconTwitter icon
Post hero image

How a spear phisher skewers victims

Here’s a major spear phishing campaign we’ve seen resurface after first making the rounds in early 2020. It’s targeting people around the globe and in a plethora of languages.Spear phishing is an email scam that's targeted at a specific person or business. As you'll see, they can be very effective and deceptive.The initial email of this campaign is well crafted. Its first-name greeting makes the email feel more personal and legitimate. The lawyer mentioned has been carefully selected. He’s a very public figure, so a basic Google ID check will turn up many results and create a sense of legitimacy. This lawyer works in a large, easily recognizable law firm, which further establishes a sense of trustworthiness. The email is signed by a colleague of the victim, and the final touch, “Sent from my phone,” is added to make it seem less suspicious that the email originates from an external email address.

Email 1: Spear phisher posing as colleague

The hook is now in the water. Replying to this email initiates a dynamic discussion based on the reply. The second email sent by the malicious actor explains the situation further.

Email 2: spear phisher posing as colleague[/caption]Note the flexibility the malicious actor is expressing by asking for the best way to complete the transfer, leaving room for varying company policies.Now let’s take a real case that progressed worryingly far. The victim is now replying to the second message. In this case it happens to be a new employee, which might boost the scam's potential for success.

The spear phishing trip

Victim response to email 2

Spear phisher's first response to victim establishes deadline urgency and financial stakes

Victim's response

Spear phisher dials up the deadline urgency

Victim's response

The spear is thrown

Close call

This whole conversation happened in under six hours. The last email sent by the malicious actor was delivered at 3:06 PM, leaving the victim under an hour to complete the transaction. The victim finally realized something was fishy and, fortunately, reported the email instead of following through with the transfer.Think about that for a second. The malicious actor got within an inch of walking away with a couple million dollars in stolen funds, armed with only some background reconnaissance, a well-thought-out story, and a couple hours of work.In other iterations of this campaign, depending on how the conversation has progressed, we’ve seen malicious attachments as well as contact information of coworkers in specific roles and other confidential company information being shared. This shows just how dangerous a spear phishing campaign can be.Steering clear of these types of impersonation attacks is actually quite simple. If an email originates from an external domain but tries to make you believe it comes from a colleague, always contact the person via some other communications channel to verify. One additional phone call or text message surely is better than losing millions of company funds.

Hoxhunt response

The Threat Analysis Team examines tens of thousands of reported phishing emails, including ones like these, a week–and have captured tens of millions of threats to date. They cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time to ensure our training stays at the cutting edge of the constantly-evolving threat landscape. Hoxhunt users are thus drilled on spotting and reporting the latest actual threats making the rounds, removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button.

Subscribe to our newsletter