1(630)802-8605 Ravi.das@bn-inc.net

As I have mentioned in earlier posts, Phishing still remains one of the most widely used forms of threats that used by the Cyber attacker today.  There is no doubt that it has been around for quite a long time, but despite that, its level of sophistication keeps growing day by day.  It seems like that the Cyber attacker takes this same method of attack, but keeps it refining to ways that even the Cyber security professionals cannot keep up with it.

I have written in previous articles for a major client about two new variants of this.  One is called “Spear Phishing”, and the other is called “Business E-Mail Compromise”. In both of these cases, the Cyber attacker takes their time in researching their targets, decides who to go after, and from there makes their stealthy move in for the kill like a King Cobra.

With the former, a selected group of individual(s) from within a business or a corporation is selected as the victim.  With the latter, it is very often the administrative assistant or project manager of a C-Level that is targeted, and conned into wiring large amounts of money into a fictitious and phony bank account somewhere overseas.

But in keep in mind that with those of types of attacks, the Cyber attacker will take their own sweet time researching in honing in on their selected victims.  They will make use of every tool that is available to them, including social media, and even conducing Internet background checks.  The goal of the Cyber attacker is in these instances is to make sure that they hit their targets head on, and right on the first very attempt.

Actually, this is a far cry from the Cyber attacker whom just launches a general Phishing style attack.  Anybody is a target, and more than likely, this will come from an address book of a victim.  Now, the Cyber attacker has devised a new form of Phishing attack – no specific name has been given to this campaign, but it has been dubbed as “Special Ear” by Cyber researchers.  The targeted industries include shipping and transportation.

Here is it how it works:  The phishing emails are typically disguised as invoice messages for companies such as purchase orders. The Cyber attackers have also further customized the messages to make them appear more authentic by including the top level domain of the country that the Phishing email is targeting.

Since is the shipping and transportation companies both in India and Saudi Arabia that have been the most impacted, the campaign is executed from an address with a “.co.in’ domain. Meanwhile, in Saudi Arabia, the spam emails came from a  “.com.sa” domain.  Interestingly enough, the server that is being used to send out these Phishing Email is based in the Netherlands, and it is a Cyber hacking group in China that is launching these attacks.

The malware itself (which is actually a Trojan Horse) is located in the .exe of the fictitious invoice; so once that is downloaded, the malware then spreads itself and uses keylogging software to steal not only the username and passwords of the impacted employees, but other types of confidential information and data are also heisted in the process.

How do the Cyber researchers know that this attack actually originates from China:  “The Chinese phrases and their excessive appearance in the Portable Executable file imply a Chinese origin. In almost every instance where Chinese characters could be used, they were used — this is a common obfuscation technique of Chinese threat actors.”  (SOURCE:  https://cyware.com/news/special-ear-cyberespionage-campaign-uses-fake-invoice-emails-to-drop-data-stealing-malware-14900b3b0.)

Even more dangerous is that this malware can avoid certain API calls, thus making it totally invisible to track by certain antispyware and antimalware software packages.

My thoughts?  Well, in terms of protecting yourself from these and other type of Phishing attack, my advice will always will be the same.  There is no need to repeat myself here, you can search this blog site for all the advice you could ever want to find.  But two things stand out to me that make this so much more different than the other kinds of Phishing attacks:

  • A specific industry is actually being targeted, which is unlike the Spear Phishing and the BEC Phishing E-Mail schemes. In these, any organization is targeted, but only specific individuals become the actual victim.  This new type of Phishing scheme is actually just the opposite of this.
  • I have never heard of a Phishing attack that can avoid and mask themselves from API calls – this is a first for me and just shows how much more the Cyber attacker is getting advanced and sophisticated on a daily basis.