Security firm Proofpoint reports that a “financially motivated threat actor” it calls TA530 is currently targeting company executives and additional high-level employees in an unusually personalized spear phishing campaign. It’s targeting individuals with high-ranking roles such as chief financial officer and senior vice president using emails containing their specific names, job titles, phone numbers, and more within the email body.
A spear phishing campaign doesn’t send out emails to a general audience hoping to reel in a few victims, but typically focuses on a specific organization in order to hook individuals into giving up confidential information such as military data or trade secrets. The emails appear to derive from a trusted source, and contain a link to a fake malware-infested Web page or a file that downloads malicious software.
Proofpoint says the information used by TA530 can be gathered from public sites like the company’s own website, LinkedIn, and so on. It’s targeting up to tens of thousands of individuals located in organizations based in the United States, the United Kingdom, and Australia. The attacks are even larger than other spear phishing campaigns, but have yet to approach the magnitude of Dridex and Locky.
TA530 is mostly targeting financial services, followed by organizations in retail, manufacturing, health care, education, and business services. Technology-focused organizations are also affected along with insurance companies, utility services, and companies involved in entertainment and media. Transportation is the lowest on the list of targets.
TA530 carries a number of playloads in its arsenal, including a banking Trojan, a Point of Sale reconnaissance Trojan, a downloader, file-encrypting ransomware, a banking Trojan botnet, and more. For instance, the Point of Sale reconnaissance Trojan is mostly used in a campaign against retail and hospitality companies, and financial services. The banking Trojan is configured to attack banks located throughout Australia.
In a sample email provided in the report, Proofpoint shows that TA530 is attempting to infect the manager of a retail company. This email includes the target’s name, the company name, and the phone number. The message requests that the manager fill out a report regarding an incident that took place at one of the actual retail locations. The manager is to open the document, and if macros are enabled, it will infect his computer by downloading the Point of Sale Trojan.
In the few cases presented by Proofpoint, the targeted individuals receive an infected document although the security firm states that these emails can also contain malicious links and attached JavaScript downloaders. The company has also seen a few emails in the TA530-based campaigns that were not personalized, but still carried the same consequences.
“Based on what we have seen in these examples from TA530, we expect this actor to continue to use personalization and to diversify payloads and delivery methods,” the firm states. “The diversity and nature of the payloads suggest that TA530 is delivering payloads on behalf of other actors. The personalization of email messages is not new, but this actor seems to have incorporated and automated a high level of personalization, previously not seen at this scale, in their spam campaigns.”
Unfortunately, Proofpoint believes that this personalization technique isn’t limited to TA530, but will ultimately be used by hackers as they learn to pull corporate information from public websites such as LinkedIn. The answer to this problem, according to Proofpoint, is end-user education and a secure email gateway.
