Spear Phishing

Spear Phishing in the Financial Services Industry

Adrien Gendre

December 16, 2015

4 min

A reporter once asked Willie Sutton, the feared but curiously beloved American bank robber who stole over $2 million in the 20s and 30s, why he chose to hold up banks. Sutton’s famous reply was, “Because that's where the money is.”

Banks: It’s Where the Money’s At

Hackers who conduct phishing attacks seem to embrace Sutton’s easy money mantra, with banks and money transfer firms receiving over 40% of phishing attacks in the second half of 2014.[1]

Robbing With Charm and Personality Instead of Guns

Where the phishers diverge from Sutton is on tactics. While Sutton never killed anyone, he always carried out heists using a pistol or Tommy gun, noting, “You can't rob a bank on charm and personality.”[2] Oh, but you can. Just ask anyone in the finance industry who has fallen victim to a spear phishing attack. Sutton, who died in 1980, would have been amazed at how banks get robbed with charm and personality today.

Spear phishing thrives on personality, the invented kind. Spear phishing is a new, highly threatening form of phishing email. While basic phishing attacks try to trick email recipients into divulging personal information or clicking on links that download malware onto their devices with mass, undifferentiated emails, spear phishing takes the process a few steps further with highly customized attacks. Spear phishing attack emails feature specific references to people and projects that the recipients knows.

In a spear phishing attack, you’ll get an email that looks as if it’s actually from your friend Joe but isn’t. The email might mention a project you’re working on with Joe and ask you to review a document, which is attached. The document contains malware, but you may never know it. The malicious actor has no incentive to shut your devices down. The longer you do your work with him logging all your key strokes, the more information he gains about your company. This is a necessary for hacking a financial institution.

As Steven D’Alfonso reported in SecurityIntelligence.com, spear phishing was the delivery mechanism for the powerful Carbanak malware, which criminal gangs used to steal more than $300 million from banks in Russia, Japan, Switzerland, the Netherlands and the United States in 2013 and 2014.[3] But, installing the malware is not enough or even the primary goal for most spear phishing attacks. Financial institutions are complicated environments, with numerous systems, levels of access and internal controls. It takes long-term, sustained and in-depth espionage to figure out exactly how to steal money from a financial institution.

According to The New York Times, the gangs using the Carbanak malware had to learn enough about the banks’ internal operations and staff to be able to impersonate employees who authorized transfers, managed automatic teller machines, and more.[4] They had to steal administrative passwords and establish enough root presence in systems to operate bank applications remotely. This took more than just a few spear phishing attacks. It likely took a sequence of spear phishing attacks that gathered more and more credentials and detailed inside knowledge about the bank.

In this way, the initial attack from “Joe” might enable the hacker to figure out who is in charge of the funds transfer desk. Then, after spear phishing that individual, the hacker can learn not only the bank’s SWIFT passwords, but also the unique workflows that the bank uses to process transfer. They grab screen shots of SWIFT terms and learn exactly how a specific bank moves money around — who has approvals and so forth. As SecureList put it, “Once the attackers are inside the victim´s network, they perform a manual reconnaissance, trying to compromise relevant computers (such as those of administrators’) and use lateral movement tools. In short, having gained access, they will jump through the network until they find their point of interest.”[5]

In order to avoid detection, the amount stolen at any given time in the Carbanak hacks was often quite low. For example, a gang might add $8,000 to someone account and then quickly transfer it out to another institute or arrange for it to be cashed out at ATMs they controlled. By the time anyone noticed, it was too late. Of course, small losses can add up.  Up to more than $300 million in the Carbanak case.

It’s Not Just about the Money

However, cash losses could be the least of a major financial institution’s. Having a breach of this kind publicized could result in:

  • reputation damage
  • loss of customers
  • civil liabilities
  • and SEC investigation and penalties under the Gramm-Leach-Bliley Act

This is a frightening prospect, but there are solutions to prevent attacks like Carbanak. The trick is to make spear phishing radically more difficult to pull off in your organization. Unfortunately, most standard anti-spam email filtering solutions won’t catch a spear phishing email. The kind of high-level criminals who do Carbanak type hacks send extremely convincing messages that don’t read like spam. They don’t contain malware attachments. They don’t even contain links to suspicious sites. The attack process is about lulling the recipient into complacency. Once trust is established, the attacker can ask for credentials outright, or send a booby-trapped link in an email that will almost certainly get through both spam filters and be clicked on by the victim. It takes specialized tools to catch this kind of malicious act.

Vade Secure’s anti-phishing solution offers just such a defense. A unique countermeasure, it can be layered on top of existing anti-spam solutions to provide better overall email protection. Using Heuristic Email Filtering with artificial intelligence, the solution has been trained to spot spear phishing messages based on learning from monitoring hundreds of millions of emails over a decades well as by matching the style and technical indicators of the claimed sender of any given email with known information about the actual sender.

Give us a call at 415-745-3630 or contact us, if you want to discuss how you can quickly add anti-phishing measures to your current email setup.


[1] Anti-Phishing Working Group (APWG) Global Phishing Survey, 2015

[2] https://en.wikipedia.org/wiki/Willie_Sutton

[3] D’Alfronso, Steven – “Carbanak: It’s All About the Phish”  - SecurityIntelligence.com

[4] https://www.nytimes.com/2015/02/15/world/bank-hackers-steal-millions-via-malware.html?_r=1

[5] https://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt/