In a recent incident of phishing attack, a hacker group has targeted Croatian government employees between the months of February and April in this year with spear phishing emails. The phishing campaign mimicked the delivery notifications from the Croatian postal or retail services.
These forged emails contained a link to the remote website with a similar URL, where users were asked to download an Excel document. The document was coded with malicious code that was packed as a macro script which was apparently copied from the internet including various tutorials or open-source projects hosted on Dummies.com, Issuu.com, StackOverflow.com, Rastamouse.me or GitHub.com.
Once the macro script is enabled by the victim, it would download and install malware on their systems. During these attacks, two different sets of malware payloads were detected. The first one was the Empire backdoor which was the component of Empire post-exploitation framework which is a penetration testing utility. The second one was SilentTrinity which is another post-exploitation tool but is like the first one.
The cyber-security agency working in national interest shared indicators of compromise including registry keys, names, URLs as well as IP addresses for attackers’ command and control (C&C) servers. Through this malware, attackers can control a computer and execute any command under the authority of the user who has opened the XLS file and has enabled it to execute macro commands.
The state cyber-security company has asked state businesses to scan computer systems and test logs for possible infections.
How can we prevent such incidents of spear phishing attacks?
- Avoid posting personal information online: One should avoid sharing their personal information online. With information available in abundance on various social networking platforms, attackers can extract and manipulate personal information for financial and personal gains.
- Organizations should implement a wholescale data protection program: Data protection programs include digital security practices as well as the implementation of cyber protection solutions designed for preventing potential data loss due to cyber-attacks like spear phishing.
- Keep your eyes wide open: Be very careful while clicking on an unknown email link or attachment. Instead of clicking on a link, go directly to the organization’s website. Check the anchor text and do not submit your personal details or confidential information on a link clicked from an email.
- Setting up DMARC record: A DMARC record consist of DMARC policies that are added in the form of a TXT record. With DMARC record analyser and generator tools like KDMARC, organizations can set up policies that are appropriate for your organization’s domain. A DMARC policy indicates that emails are protected using SPF and DKIM procedures. This policy specifies how the recipient handles emails that are based on the results of the DKIM and SPF check and notifies you about the domain abuse.
- However, the most effective strategy is to train and aware employees with security attack simulator and awareness tools such as ThreatCop. The tool ensures that employees can learn about various cyber-attacks and the methodologies used in these attacks.
With the advancement in the attack methodologies that are employed by cyber attackers, it becomes important to adopt security measures that can protect an organization against probable cyber-threats. With the effective implementation of such preventive measures, organizations can safeguard themselves against different types of cyber-attacks.