After running the Barracuda Email Threat Scanner on hundreds of thousands of mailboxes across many customers, we've noticed some very creative and (unfortunately) very successful attacks. One such attack is a new spin on an old phishing email. We've seen this attack with several of our customers, especially in industries that deal with frequent shipping of goods or employee travel, such as logistics, shipping, and manufacturing.
The airline phishing attack using multiple techniques to capture sensitive data and deploy an Advanced Persistent Threat
The airline phishing attack is a combination of two or more attack techniques. The first technique is impersonation. The attacker will either impersonate a travel agency or even an employee in HR or finance that is sending an airline ticket or e-ticket. The email will be constructed to appear inconspicuous to the untrained recipient. Here's an example subject line:
Fwd: United Airlines: Confirmation – Flight to Tokyo – $3,543.30
In a well-researched attack, the attacker will have prepared the email specifically for the target. The airline, destination, and price will be carefully selected so that these details look legitimate in the context of the company and the recipient.
After getting the employee to open the email, the second tool employed by the attacker is an advanced persistent threat embedded in an email attachment. The attachment, usually a flight confirmation or receipt, is typically formatted as a PDF or DOCX document. In this attack, the malware will be executed upon the opening of the document. Our analysis shows that for the airline phishing attack, attackers are successful over 90% of the time in getting employees to open airline impersonation emails. This is one of the highest success rates for phishing attacks.
We have also observed attacks that have included links to a phishing website designed to capture sensitive data from the victim. This phishing website will be designed to imitate an airline website, or it will impersonate the expense or travel system used by the company. This step in the process is designed to trick the victim of the attack into entering corporate credentials into the site. The attacker will then capture the credentials, and use them to infiltrate the corporate network and internal company systems, such as databases, email servers, and file servers.
As you can see, this attack depends on three specific techniques:
- Impersonation: Researching the company’s organizational structure and communication patterns help the attacker create an email that looks legitimate. The attacker’s impersonation causes the emails to be opened at a very high rate (over 90%).
- Malware – Advanced Persistent Threat: The APT is dropped into the network when the attachment is opened. The victim trusts the attachment because of the targeted email content.
- Phishing: The attacker leverages the legitimate appearance of the email to harvest the login credentials of the target using a fake login page. Once the attacker obtains the login credentials, they can easily gain access to internal company data and communications.
These steps complement each other, ultimately enabling the criminal to deploy additional attacks like ransomware or to remain in stealth mode and conduct reconnaissance against the target network. At this point, the attacker is in control.
Companies should use a multi-layered security approach to block this type of attack. The first layer is sandboxing. Effective sandboxing and advanced persistent threat prevention should be able to block malware before it ever reaches the corporate mail server. The second layer is anti-phishing protection. Advanced phishing engines with Link Protection look for links to websites that contain malicious code. Links to these compromised websites are blocked, even if those links are buried within the contents of a document. The third layer is employee training and awareness. Regular training and testing of your employees will increase their awareness and help them catch targeted attacks without compromising your internal network.
Finally, if you’re curious whether your company has been the victim of an airline phishing attack, we highly recommend the Barracuda Email Threat Scanner. It’s a free tool that scans your Office 365 account for advanced persistent threats and phishing risks. The scan provides you with a personalized risk assessment and evaluation of your existing security posture.
Asaf Cidon is Vice President of Content Security Services at Barracuda. Connect with him on LinkedIn here.
Asaf Cidon is a professor of electrical engineering and computer science at Columbia University and a Barracuda adviser. He previously served as vice president of content security services at Barracuda Networks. In this role, he was one of the leaders for Barracuda Sentinel, the company's AI solution for real-time spear phishing and cyber fraud defense. Asaf was previously CEO and co-founder of Sookasa, a cloud storage security startup that was acquired by Barracuda. Prior to that, he completed his PhD at Stanford, where his research focused on cloud storage reliability and performance. He also worked at Google’s web search engineering team. Asaf holds a PhD and MS in Electrical Engineering from Stanford, and BSc in Computer Engineering from the Technion.