One of the most widespread and damaging spear phishing attacks to hit the internet is underway now. It surfaced a few days ago and is still active. Pay attention to defenses you can use now to minimize possible damage.
It’s getting easier to spot a general phishing email. Tipoffs include glaring mistakes like a misspelling or grammatical error, or the sender might demand urgency for you to click or reply, or it just doesn’t feel or look legitimate. It’s much harder to spot a spear phishing email attack because it targets something specific about you or your organization and it looks more convincing.
General phishing attacks are usually sent to masses of emails without specific targets in the hopes that someone takes the bait. By contrast, cyber criminals who use spear phishing have collected specific details about their targets. They use this specific information to target victims and trick them into clicking attachments or providing information or replying. The spear phish might target one individual, or a group of individuals who share something in common – they work at the same company, went to the same school, use the same bank. With inside information, thieves can tailor a message to the targeted group and convince more people to take the bait.
Tricksters use Familiar Brands like Constant Contact
A recent sophisticated attack used a compromised email address stolen from Constant Contact, a popular and widely recognized email software marketing company. Details were published in a joint warning from the Cybersecurity and Infrastructure Agency (CISA) and the FBI.
The attacker sent spear phishing emails to more than 7,000 accounts across hundreds of government organizations, intergovernmental and nongovernmental organizations. The attack email was made to look as though it came from a legitimate U.S. Government organization and contained a legitimate Constant Contact link that redirected to a malicious URL, from which a malicious file was dropped onto the victim’s system.
Microsoft’s Analysis
Microsoft tracks cybersecurity issues across the world and writes a regular blog with guidance for their customers about how to manage and defend against cyber threats. They’ve been tracking the origins of this latest spear phishing threat which they attribute to a criminal group they call NOBELIUM, and on May 27th wrote:
The campaign, initially observed and tracked by Microsoft since January 2021, evolved over a series of waves demonstrating significant experimentation. On May 25, 2021, the campaign escalated as NOBELIUM leveraged the legitimate mass-mailing service, Constant Contact, to masquerade as a US-based development organization and distribute malicious URLs to a wide variety of organizations and industry verticals.
According to Microsoft, late last year NOBELIUM was the group behind the SolarWinds attack that was considered the largest spying operation against the U.S. in history, as it infiltrated high level government systems and large U.S. companies for months before detection.
Microsoft’s description outlines a gradual pattern of increased stealth and sophistication by NOBELIUM since January, 2021, culminating in the May 25, 2021 Constant Contact scam. There is reason to believe the cyber thieves are still busy, finding new ways to trick email users into letting them in. Microsoft describes it as “an active incident” and plans to update their blog as it develops.
For information from Microsoft about how to defend against this latest threat, read New Sophisticated Email-based Attack from NOBELIUM.
Healthcare is a Target
Medical identity theft is rampant today because protected health information is valuable to thieves – much more valuable than social security or credit card numbers. Ransomware is skyrocketing, and the most common entry point for cybercriminals is email.
But if you’re complying with HIPAA, you’re much more likely to win the battle because HIPAA compliance is a blueprint to protect against cybercrime. Make sure you are conducting a HIPAA Risk Analysis and follow your Risk Management Plan.