Case of spear phishing in India

More articles

spear phishing indiaFraudsters are evolving with the technology. Couple of years ago, Phishing was replaced by Vishing and now SpearPhishing is the new baby on the blocks. Spear Phishing in India is not very common. Phishing was a generic attack without having any information about the victims, Vishing was voice based phishing but the frauds are now getting personal. SpearPhishing attack is committed with a specific person in mind.

Spear phishing in India

Certified Forensic Accounting Professionals are emerging as a powerful community, across the world. One such CFAP was engaged by a pharmaceutical company with a request to conduct a routine assessment of its system security. During his analysis, he discovered that some of the client’s PCs were infected by certain malware. This malware was transferring research data to a location which was based out of Indore. Head office of one of the competitor’s of the pharmaceutical company was based in Indore too.

Business faced a cyber attack,  when a junior research scientist unwittingly helped infect the PC of a senior scientist. In India, generally the corporate networks are affected by the employees who, though unintentionally, use a company owned computer to visit porn sites. In this case, however, the junior scientist was not even watching any objectionable content but was simply trying to do his job.

The trouble began when he received an email from an apparently known, legitimate source. Attached to the actually phony message was a malicious PDF attachment purporting to be the document of the kind the junior scientist and his supervisor were working to complete a very important research project. Because neither its apparent source nor content appeared suspicious, the junior scientist opened the attachment. When its contents turned out to be unfamiliar, he sought guidance by forwarding the message to the senior scientist who also opened the attachment.

The attachment apparently came from some vendor who was part of the research work too. Junior scientist had no way of knowing that his email account was compromised. When the attachment was opened, it executed malware that infected their PCs and spread to sensitive system modules that the senior scientist had access to. Once the hackers were able to scan through the entire system they could simply take out the information they wanted to access. Some very important research  and the business plans. To get the valuable information competitor never entered the premises of the victim pharmaceutical company. The total damage was calculated at Rs. 7.6 crores. In various countries the Certified Forensic Accounting Professionals are called in to assess the damages caused to the companieI because of the frauds.

This was an attack that involved advance planning and research that had nothing to do with technology. These hackers were skilled spearphishers, whose precisely aimed attack sought a particular type of information accessible only to certain senior staff members of this pharmaceutical company.

The hackers were anxious to not draw attention of their attempt, so they sent only one message to one carefully selected user — the junior Scientist. How did they know to whom to send it? These fraudsters used a very simple technique. When the competitor company hosted a conference related to the subject, an email was sent to the senior scientist. It was an invite to be a speaker. The mail reached him when senior scientist was on vacation and his email sent an auto-responder email. This email also requested to contact the junior scientist in case of emergency. Every fraudster is not however, as lucky as this. In most of the cases of spear phishing they have to do extensive research and reconnaissance — much of it offline — on who worked with whom in the target firms and each employee’s nature of work.

Sometimes, hackers explore the firm’s email address-naming convention. So, when the technological part of their scheme — a virus – gets ready , the hackers know to whom to send it.

Certified Forensic Accounting Professionals are investigating some of the most challenging assignments of investigation of the frauds and aspirants can get into the right network of professionals by obtaining the most valuable certification in India.

- Featured Certification-spot_img