Phishing attack with a 90% success rate

Next story
Olivia Storey

Hackers are finding more and more imaginative ways to gain access to your sensitive data, and in some cases, just reinventing the wheel.

Research from Barracuda has shown how effective phishing can be targeting within a company. This spin on phishing was particularly effective within an airline company, emailing staff using targeting and well-planned attacks.

Impersonation

The attack starts with an impersonation – ever get an email posing as HMRC, iTunes, or Amazon? It’s similar to that. However, within the airline the attacker impersonated a travel agent or other airline employee sending an e-ticket or receipt, to the airline employee.

These phishing attacks are well thought out and planned, targeting emails specifically, tailoring it to suit the recipient. The targeted email looked and sounded legitimate.

‘Reel’ them in

Each email sent to the employees contained an attached ‘ticket’, ‘flight confirmation’, or something similar, typically in a PDF or DOCX format. Once the attachment has been opened, the malware strikes and spreads.

This ‘advanced persistent threat embedded in an email attachment’ is the second stage of attack. Analysis by Barracuda showed these attacks on staff have a success rate of over 90% of being opened and malware effectively attacking the system.

This is one of the highest success rates for a phishing attack.

Using ‘bait’

A third tactic used, which was observed during an email threat scan, flagged up thousands of emails using a link to a phishing website where the unsuspecting employee enters the sensitive and personal work details. The website is designed to look just like an airline company website, or the travel and expenses systems the company uses, leaving the victim none the wiser.

The phishing site will then steal and store the data logged by the victim, and use those credentials to access the corporate network and internal company system.

 

Does your company have a system in place to help prevent or educate about phishing emails? Let us know on Twitter @ESETUK.

  

Join the ESET UK LinkedIn Group and stay up to date with the blog. If you are interested in seeing where ESET has been featured in the news then check out our ‘In the news’ section.