Image: designer491, Getty Images/iStockphoto

Phishing campaigns typically use a few different tactics to compromise their victims. The initial emails usually spoof a company, brand, or product potentially used by the recipient. Often such emails pretend to come from a fellow employee or trusted external partner. Also, these emails sometimes are directed toward a specific individual within an organization, such as a C-level executive or someone with financial control. A recent phishing attack observed by Darktrace used all of those methods in an attempt to deploy malware.

SEE: Fighting social media phishing attacks: 10 tips (free PDF) (TechRepublic)

The campaign analyzed was aimed at a cutting-edge technology company, a tempting target for cybercriminals looking for maximum profits. In the first wave, the cybercriminals spoofed QuickBooks, a product commonly being used in advance of the July 15 tax deadline. In the initial phishing email, the sender claimed to be from QuickBooks maker Intuit with the address quickbooks@notification.intuit.com.


Image: Darktrace

The email contained a file attachment masquerading as a legitimate monthly invoice that the organization would normally receive. This attachment appeared to be a standard Microsoft Office document but one with a macro designed to infect the targeted system with malware. The attack was directed toward several employees across multiple departments in the organization who had access to confidential information.

A month later, a second attack was launched against this same organization. This time, the attacker was able to compromise the email address of an accountant to send a phishing email directly to the CEO. In this instance, the email contained a Skype voicemail message as a way to coax the CEO to enter their login credentials on a phony Skype page.

“The fact that these attacks specifically targeted the CEO and only individuals who had access to the company’s research and intellectual property shows that this was a well-planned and meticulously executed attack,” Darktrace said in its report. “The emails were highly targeted and bespoke to the individuals, spoofing platforms they were known to use. We can assume information was leveraged from social media or even previous breaches to craft these emails.”

Since the attacks were ultimately unsuccessful, Darktrace wasn’t sure of the motives behind the campaign but was able to speculate.

“Their goal with the first wave seemed to be gaining access–either via malware or compromising account credentials,” Justin Fier, director of Cyber Intelligence & Analytics for Darktrace, told TechRepublic. “Given this was a technology company with invaluable IP (intellectual property), and that the attackers targeted the CEO and others involved with research with the second wave of attacks, it is likely that they were after more than just financial information, but were instead seeking to gain access to the company’s IP.”

Though both attacks snuck past traditional security solutions, the artificial intelligence (AI) component in the cybersecurity defense from Darktrace stopped each one. AI detected that the source of the spoofed emails was an IP address in Italy, which is outside the range of addresses permitted by Intuit to send email on its behalf. Darktrace also found these attempts suspicious compared with the SPF records normally assigned to quickbooks@notification.intuit.com. Further, the AI component determined that it would be unlikely for the exact same email to be sent to so many different recipients across different departments within the organization.

Due to the AI security feature, the attack failed to gain a foothold in the organization. But the spoofing of a common item like a QuickBooks invoice still is cause for concern.

“This attack was clearly launched by an advanced group, with the group’s ability to so closely spoof Intuit’s platform especially concerning,” Darktrace said in its report. “As we approach the extended tax deadline of July 15, the group could easily launch more attacks–spoofing TurboTax to trick countless individuals, or target additional companies with fake QuickBooks invoices.”

How can organizations and individuals best protect themselves from these types of phishing attacks?

“Traditional email security tools will block spear-phishing attacks that have been seen before, but targeted and novel campaigns are often entirely unique in their content, exploiting the latest trending topic and leveraging specific details about a company,” Fier told TechRepublic. “In the continuous cat-and-mouse game with cyber-intruders, AI is capable of making accurate judgements about which emails are legitimate. In this specific instance, AI detected that the source location of the emails and the group of recipients was highly unusual, automatically blocking these illegitimate communications from even reaching the inbox in the first place.”

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays