Crypto ransomware targets called by name in spear-phishing blast

For the past decade, spear phishing—the dark art of sending personalized e-mails designed to trick a specific person into divulging login credentials or clicking on malicious links—has largely been limited to espionage campaigns carried out by state-sponsored groups. That made sense. The resources it takes to research the names, addresses, and industries of large numbers of individuals was worth it when targeting a given organization that had blueprints or some other specific piece of data prized by the attacker. But why go through the trouble to spread crypto ransomware or banking trojans to the masses when a single scam e-mail could do the trick?

Since the beginning of the year, that truism has begun to unravel. According to researchers at security firm Proofpoint, a single threat actor, dubbed TA530, has been targeting executives and other high-level employees in an attempt to trick them into installing an assortment of malware—including the CryptoWall ransomware program that encrypts valuable data and demands a hefty fee to undo the damage. Other malware spread in the campaign includes the Ursnif ISFB banking trojan and the Ursnif/RecoLoad point of sale reconnaissance trojan targeting businesses in the retail and hospitality industries. Targeted executives typically have titles of chief financial officer, head of finance, senior vice president, and director.

According to a blog post published Tuesday:

TA530 customizes the e-mail to each target by specifying the target’s name, job title, phone number, and company name in the email body, subject, and attachment names. On several occasions, we verified that these details are correct for the intended victim. While we do not know for sure the source of these details, they frequently appear on public websites, such as LinkedIn or the company’s own website. The customization doesn't end with the lure; the malware used in the campaigns is also targeted by region and vertical.

While these campaigns aren't approaching the size of, for example, Dridex and Locky blasts that go after very large numbers of random recipients, TA530 targets hundreds, thousands, or even tens of thousands of recipients in US, UK, and Australian organizations. These attacks are quite large relative to other selective or spear phishing campaigns.

We observed TA530 at times targeting only a specific and narrow vertical, such as Retail and Hospitality. At other times, the campaigns appear more widespread. Overall, the volume of messages targeting each vertical is shown below:

Targeting high-ranking executives and managers has distinct advantages to criminals pushing this type of malware. People in these positions are more likely to have access to their company's online bank accounts and finance systems, making them prime victims for banking or point-of-sale trojans. What's more, the data stored on their computers is often crucial to their company's continued success, making it more likely that they will pay ransoms when the data is encrypted by CryptoWall.

"Based on what we have seen in these examples from TA530, we expect this actor to continue to use personalization and to diversify payloads and delivery methods," the Proofpoint blog post concludes. "The personalization of email messages is not new, but this actor seems to have incorporated and automated a high level of personalization, previously not seen at this scale, in their spam campaigns."