Case Study of Spear Phishing Malware

Problem Statement

A multi-national manufacturing business named XYZ*, with a six-decade history of roofing indoor and exterior construction materials and solutions was the target of a spear-phishing email cyber-attack. By fooling the organization's sales staffer into updating the organization's trusted vendor bank account data, the attacker caused uncertainty and waited for the ideal chance to transfer payments to his bank account.

As a multinational corporation, XYZ* has numerous global vendors that supply them with various sorts of building materials. Essentially, the vendor must issue the bill once the products have been delivered. Despite being an international firm, the organization policy did not specify to whom the vendor should transmit the bill data. According to vendor understanding, they normally communicate the bill and bank account data with the organization's accounting department.

An email was sent to the organization's sales representative requesting that they modify one of their vendors' bank account information. There was no previous confirmation of the modification with any organization's employee. The sales representative transferred the information to the appropriate accounts department personnel for further action. The accounts staff observed anything peculiar in the email while going through it, which sparked suspicion and so called for a cynical activity inquiry. Because of this raised warning, neither the legitimate organization's vendor account nor its systems were hacked.

Furthermore, during the investigation, it was discovered that the organization did not have appropriate information security management guidelines as defined in ISO27001, nor did it have any set of guidelines for information security risk treatment before communicating SOC Shashwat, which is necessary to be defined in the motives of the organization's information security management systems (ISMS).

As a result of this requested investigation, SOC Shashwat supported the business in obtaining ISO27001 certification, where it offered guidance to the firm in developing and implementing policies following ISO 27001 guidelines. The preceding scenario demonstrates a spear-phishing assault in which the attacker sent a fake organization's vendor's email to the organization's sales employee, which seemed to originate from the organization's vendor's authentic email address. Based on confidence, the attacker expected a speedy response from the organization's accounts employee to update the bank account data via the sales team. In this approach, hostile attackers modify spear-phishing emails in such a way that they use social engineering to specifically target susceptible victims, making it very easy for them to circumvent the most stringent security measures.

Inspection

SOC Shashwat took up this investigation case in response to the organization's email suspicion investigation request.

In the initial stage of the inquiry, we confiscated the laptop of the organization's sales employee, who got the phishing email and sent it to the accounts employee. During questioning, it became clear that the sales employee's aim was not malevolent, that his laptop was not infected, and that the email is merely a targeted phishing email designed to mislead and mislead the target victim organization's clientele dealing with major financial transactions.

We examined the originator of the email message in the second stage by shutting the entire network and restricting the organization's email communication. We reviewed the filters of the organization's cloud-based email systems, determined the email's header and footer, and found the sender's IP address in this stage. The first major red flag identified after examining the attacker's email 'FROM' email header was that the attacker used the email spoof technique by using the exact respected vendor's name of the victim organization to display in the 'FROM' email header to build recipient's trust about email's authenticity.

In the third stage, we discovered a 2nd major red flag: only the beneficiary's name and payment details number were supplied, with no greeting or sender's name. Furthermore, the Email Threat Scanner did not flag the most prevalent phishing database subject line as suspicious but instead issued a warning concerning email server information. While inspecting the server's information protocol, logs, and packet flow, it was discovered that the SMTP server IP address was inactive. As a result, the attacker was able to effectively avoid the organization's DKIM/DMARC mail security filters, as determined by a review of the mail solutions system log record.

During the investigation, it was discovered that the organization's email filter in firewall endpoint protection was not correctly configured to filter email and flag spam based on the email address server's IP address. This was discovered when the backup archiving data server email address IP logs were revived.

Furthermore, it was observed throughout the examination that the organization's information system security regulations were unclear. Also, there was no sufficient record for reviewing critical security occurrences. Furthermore, no timely maintained data security awareness employee training were provided, which may have assisted in preventing the phishing mail forwarding incident.

As a result, multiple red flags were detected and reported throughout the investigation phase, demonstrating a lack of ISMS compliance for handling the organization's sensitive data.

Interpretation

After understanding the incident, the company's business needs, and the anticipations of the company's concerned parties, we recommended that the organization's operational illustrate commitment by making available the resources required for data security, incorporating ISMS requirements, establishing information security policy, and promoting ISMS continuous improvement into the firm's process. Following that, we worked with the company to develop an information security strategy, planning processes to mitigate risk, and prospects for improvement and planning such as remedial action.

As part of the remedial action, we advised the organization's IT staff to replace the vendor of their email system and assisted them in setting proper email filters. We also assisted them in preserving the security of their archive backups and put up a log monitoring feature to capture current activities. In addition, we recommended that staff with access to external emails get data security and firewall training course from our firm.

Furthermore, we advised them to prevent undesirable open ports, establish timely updating information security awareness, and report any suspicious email activity immediately without transmitting or acting on it.

The solution we give will assist the company in becoming ISO27001 compliant. It will provide the information security policy framework, which will inspire the firm to take action, safeguard its information systems, and develop a risk management strategy. This activity will assist the company in undertaking information security risk assessments and resolving information security concerns in a timely manner. Furthermore, this activity will assist the business in producing supporting evidences during the ISO27001 audit, Management Review on ISMS, and identifying improvements such as taking remedial action in the event of a security incident.