To demonstrate that not even police forces are exempt from cyber criminality, an unnamed UK police force has been the subject of a spear phishing campaign.

Spear phishing is an email or electronic communications scam targeted towards a specific individual, organisation or business. Although often intended to steal data for malicious purposes, cybercriminals may also intend to install malware on a targeted user’s computer.

Typically, an email arrives, apparently from a trustworthy source, but instead it leads the unknowing recipient to a bogus website full of malware. These emails often use clever tactics to get the victim's attention.

In this particular campaign, the intended victims were chief officers within the force, and the emails contained potentially malicious attachments.

The attachment redirected the recipients to a Microsoft Office login page with the user’s email address displayed, prompting the user to enter a password as per the usual Microsoft login windows.

The emails were delivered between 09:00 and 10:00 hours on December 12 with the title “Westshire-pcc November Financial Report” (Westshire used here to hide the actual force name).

Attached to the email was a HTML file named Expense.Report providing the link to the malicious login page.

The link subsequently loaded a HTML page with what appeared to be a standard Microsoft login prompt with the users email address already entered and therefore prompting for just the password.

Prior to this login box being displayed there is also a fuzzy video displayed for an instant that gives the impression of an inbox within Outlook, presumably to give the impression of the user attempting to automatically login to a pre-existing open email account.

To add to the impression of the page being entirely genuine is the use of a background picture of the force headquarters behind the login page and the force crest and title within the login box.

All in all, the campaign was a very in-depth and extremely sophisticated spear phishing attempt to which a recipient could easily be tricked into falling foul of.

The efforts of the threat actors to craft this campaign could easily be adapted to suit other UK organisations with minimal time and effort.

How to spot the signs of spear phishing

Here are some common red flags of a spear phishing attempt:

• Unusual sense of urgency
• Incorrect email address
• Spelling or grammar mistakes
• Asks for sensitive information
• Contains links that don’t match the domain
• Includes unsolicited attachments
• Tries to panic the recipient

Security awareness training is fundamental in preventing any type of phishing attack, especially when many users are working from home. The training is one of the services we offer at the EMCRC.

To prevent spear phishing attacks, organisations should:

• Regularly conduct proactive investigations to find suspicious emails with content known to be used by attackers, such as subject lines referring to password changes.
• Ensure that remote services, VPNs and multifactor authentication (MFA) solutions are fully patched, properly configured and integrated.
• Educate employees on the various types of phishing attacks. Spear phishing knowledge will prepare employees to implement protective measures in real life.
• Know how to validate an email IDs before replying to emails sent from outside the organisation.
• Know how to validate URLs before clicking on links
• Conduct phishing simulations within the company so that employees can practice what they learned from security awareness training. The company can also measure how well their employees understand spear phishing attacks to improve their training courses.
• Search for indications of malicious activity involving DMARC (Domain-based Message Authentication Reporting and Conformance), DKIM (Domain Keys Identified Mail) and SPF (Sender Policy Framework) failures.
• Scan properties of received messages, including the Attachment Detail property, for malware-related attachment types (such as HTA, EXE and PDF) and automatically send them to be analyzed for additional malware indicators.

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).