Attackers are using the lure of airline reservations as part of a highly effective phishing campaign that researchers say is successful about 90 percent of the time.
The campaign targets corporate victims, and the attackers behind it seem to be doing quite a bit of research before sending the phishing emails. The messages are constructed with subject lines and bodies that include destinations, airlines, and other details that are specific to each victim, helping them appear more authentic. Researchers at Barracuda, who have been monitoring the campaign, say the phishing emails include rigged attachments loaded with malware.
“After getting the employee to open the email, the second tool employed by the attacker is an advanced persistent threat embedded in an email attachment. The attachment, usually a flight confirmation or receipt, is typically formatted as a PDF or DOCX document. In this attack, the malware will be executed upon the opening of the document,” Asaf Cidon, vice president of content security services at Barracuda, said in a post explaining the attacks.
“Our analysis shows that for the airline phishing attack, attackers are successful over 90% of the time in getting employees to open airline impersonation emails. This is one of the highest success rates for phishing attacks.”
Most phishing campaigns have nowhere near that level of success. Many malicious emails are caught by filters or end up in spam folders, and others are too poorly designed to trick many victims. In the airline campaign, the malware installed is designed to be the first stage in a multi-level attack meant to steal users’ corporate credentials. The malware will connect to a site controlled by the attacker that is a close copy of the airline site impersonated in the email.
“This phishing website will be designed to imitate an airline website, or it will impersonate the expense or travel system used by the company. This step in the process is designed to trick the victim of the attack into entering corporate credentials into the site. The attacker will then capture the credentials, and use them to infiltrate the corporate network and internal company systems, such as databases, email servers, and file servers,” Cidon said.
Once the attack has a victim’s corporate credentials, he can then move around inside the target network and gather more information and accessing other accounts.
Image: Cory Hatchel, CC By-sa license.