African Bank Malware Campaign Shows Actor's PersistenceAite-Novarica's Schreider Breaks Down What Makes This Scam 'Interesting'
HP Wolf Security, Hewlett Packard's security research team, released new research indicating threat actors are launching phishing campaigns against employees in the African banking industry with the intention to do damage, including potentially attacking the country's finance sector with ransomware.
Researchers account in a blog how cybercriminals drafted credible phishing emails and registered a website to impersonate a well-known banking organization to lure victims with a top-tier job opportunity. Once a victim falls for the scam, the threat actor delivers a payload via a commercial remote access tool, Remcos. A few possibilities for what could happen after the malware has been installed include persistent access to make transactions, using the data to go after other employees, selling information on the darknet or launching a ransomware attack.
The TTPs involved are nothing new for most security professionals, especially in the finance sector, which is inundated with advanced fraud schemes daily. One attack vector, HTML stuffing, or sneaking a malware-wielding attachment past security controls, has been attractive to threat actors for years.
But, according to Tari Schreider, strategic advisor for Aite-Novarica, a research group that serves financial institutions among other cybersecurity sectors, what is notable about this campaign is the actor's intent and detailed social engineering methods. Also, the research provides a very detailed technical account of the attack attempt.
"It is not new the fact that banking employees are being targeted through forms of social engineering, including very sophisticated phishing attacks, to give up credentials to be able to infiltrate a bank system. That part of it happens," Schreider tells Information Security Media Group. "That's just part of the daily risk. What is interesting, though, are the motives and the patience the bad actors have."
Additionally, Schreider touches on ways security professionals can enhance protections and create better employee training programs.
The Phishing Email and Social Engineering
Researchers provided a detailed account of how a threat actor sent a phishing link to an employee of an unnamed bank in West Africa. One aspect of the campaign that mirrors a tactic used by North Korean nation-states is that several typosquatted websites, fake domains created to breed trust, were created. The actor was also not afraid to make contact with the victims and was patient with their attempts.
"If the websites were used for phishing or hosting malware, spending time to configure these records would not serve any purpose," reads the blog. "Visiting the websites increases the recipient’s trust in the email lure because they are shown content copied from the legitimate bank, ultimately making them more likely to act upon the email."
It was not revealed, however, whether the employee clicked on the link or simply reported it and to what level this posed an organizational risk.
ISMG did not immediately reach a spokesperson for HP Wolf Security to answer queries.
As far as stopping a cybercriminal from social engineering, this is more challenging. Some security teams put a domain-buying policy in place to hinder threat actors from buying websites that might fool consumers or staff. Aite Novarica's Schreider says this method has obvious obstacles.
"If you take all the letters of Bank of America, and misspell one letter, how many times can you do it? You can add different combinations. You could come up with hundreds of domain names."
HTML smuggling gives threat actors a way to disguise the malware. Burgeoning cybercriminals might see the technique and notice it is lucrative, then latch onto it as a means to enhance a new campaign, Schreider warns.
Blocking emails including HTML emails and links within any attached files is one of the most effective strategies to thwart an attacker, he says. Organizations with tight security, such as large financial services, may already have this step implemented, however, there are still many businesses that do not.
"I would say there's a lot of people catching up because it's a balance between convenience and information protection."
Don't Touch the Wet Paint
For some users, it can be enticing to see what happens when clicking a phishing link. Schreider says this curiosity is similar to seeing a "wet paint" sign and having an immediate desire to touch it.
While more tech savvy employees will catch a phishing email as being an obvious scam, Schreider says the level of sophistication involved in this scam is used to make users feel special and sought after.
The only way to reduce these targeted attack, according to Schreider, is creating a comprehensive phishing training plan that goes beyond a once monthly email blast of the latest scams.
Instead of basing training methods off fear, security leaders can design training plans that explain: "Here's what a phishing attack looks like. Here's simulations of phishing attacks. And what happens if you click on this and how to spot somebody that's trying to seduce you into a relationship, business or otherwise, for nefarious reasons?"
Schreider says basic phishing training goes beyond a check-box list, yet also acknowledges "a security person doesn't have all the time in the world" and may only realistically be able to spend around 30-35% of time toward securing devices.
"A scammer isn't burdened by bureaucracy," he continues, emphasizing the importance of awareness, as well as blocking and tackling techniques, to protect enterprise networks.