Fallen Victims: Spear Phishing the CEO
Daniel is President and CEO of a second-generation family owned business. The company specializes in engineering consultancy services for both private sector and federal government clients. Daniel spends his time between working at the office and holding outside meetings with current customers as well as prospective clients. His business development efforts frequently pay off as he is considered the “rain maker” of the company. He was extremely pleased to announce during the previous week’s staff meeting that the firm won an award to provide consultancy services for a new state of the art facility being built for the U.S. Department of Defense. This would be a very lucrative deal and really serve to help further promote his firm among prospective clients. He wasted no time in having a press release issued regarding this award.
While easily spending over 50 hours per week in managing the firm, Daniel does find time for his wife and three children. They take one family trip a year, usually abroad to Europe. Additionally, Daniel is passionate about sailing. He owns a 250-foot sailboat and usually takes it out every Sunday with friends. He frequently posts pictures on his Facebook page showing his boat and scenic locations to include many sunrises and sunsets. He also mentions that one of his dreams is to complete an approximate one month sailing excursion in the Mediterranean.
A foreign intelligence service was looking for ways to penetrate the U.S. Department of Defense. They considered the construction of this new facility to be an opportunity. They looked at various companies which would be contracted for the buildout as potential conduits. The security protocols exercised by such contractors would likely be lower than the Department of Defense. When they learned of the contract award for engineering consultancy services, they began to target Daniel’s firm.
They decided to launch a spear phishing attack against a senior member of the firm who would likely have the highest level of access to details regarding this project. Naturally, Daniel was one of the top choices. They were aware that Daniel’s firm had received security awareness training from an outside vendor which included guidance on how to minimize security breaches attempted through phishing attacks. They needed to conduct a profile on Daniel and then artfully compose an email which would tempt Daniel into disregarding such security protocols. They decided to tie it into Daniel’s passion for sailing and his interest in exotic sails in the Mediterranean.
They designed an email with the logo of Daniel’s sailing club announcing an upcoming promotion on 3-4-week group sailing excursions in the Caribbean and Mediterranean. Attached to the e-mail was a file said to contain more information to include sailing itineraries, pricing and registration forms. Without hesitation, and without verifying whether his sailing club had originated this email, Daniel eagerly clicked on the link. While the information began to download, malicious code was uploaded to Daniel’s personal computer. When Daniel tried to open the documents, they appeared to be corrupted.
Unfortunately, Daniel did not immediately realize that this was a successful phishing attack. Once the group gained access to his personal computer, they were able to access all his files. As Daniel also frequently utilized his personal computer to log into his company’s IT systems, they were able to capture his log in credentials. They now had a means to collect considerable invaluable and sensitive information regarding the design of the future Department of Defense facility.
Never assume that you or your organization would not be of interest to a foreign intelligence service or organized criminal group. If you conduct business with a high value target, you might be utilized to gain access to the ultimate prize.