The Secret to This Email Phishing Campaign is Volume
FireEye says a newly characterized cybercriminal gang, FIN11, has been launching widespread email phishing campaigns for the past four years. The group isn’t particularly sophisticated, but FireEye’s Mandiant unit says FIN11 stands out due to the “sheer volume of activity” it’s responsible for.
“There are significant gaps in FIN11’s phishing operations, but when active, the group conducts up to five high-volume campaigns a week,” FireEye says. “While many financially motivated threat groups are short lived, FIN11 has been conducting these widespread phishing campaigns since at least 2016. From 2017 through 2018, the threat group primarily targeted organizations in the financial, retail, and hospitality sectors. However, in 2019 FIN11’s targeting expanded to include a diverse set of sectors and geographic regions. At this point, it would be difficult to name a client that FIN11 hasn’t targeted.”
FireEye believes the volume of the FIN11’s activity makes up for its lack of sophistication, since the group can simply choose how to move forward after one of their phishing emails happens to compromise a victim.
“Mandiant has also responded to numerous FIN11 intrusions, but we’ve only observed the group successfully monetize access in [a] few instances,” FireEye says. “This could suggest that the actors cast a wide net during their phishing operations, then choose which victims to further exploit based on characteristics such as sector, geolocation or perceived security posture.”
FIN11 also changes its tactics as more effective attack strategies become apparent. This manifested itself in the group’s recent shift to using ransomware and data theft to extort victims.
“Recently, FIN11 has deployed CLOP ransomware and threatened to publish exfiltrated data to pressure victims into paying ransom demands,” the researchers write. “The group’s shifting monetization methods—from point-of-sale (POS) malware in 2018, to ransomware in 2019, and hybrid extortion in 2020—is part of a larger trend in which criminal actors have increasingly focused on post-compromise ransomware deployment and data theft extortion.”
The criminal threat evolves, and security training needs to keep pace with it. New-school security awareness training can enable your employees to identify and thwart both sophisticated and untargeted phishing attacks.