Security Alert
Jonathan Crowe
Apr 2017

Alert: New Highly Customized Phishing Attack Has a 90% Open Rate

Key Details

  • Type of attack: Well-researched spear phishing attacks disguised as flight confirmations.
  • Attack vector: Email
  • Damage/costs: The attacks come in two varieties — one type drops data-stealing malware; the second type steals credentials
  • empty
  • empty
  • empty
  • empty
  • empty

Researchers at Barracuda Networks have uncovered a new wave of sophisticated phishing attacks with one of the highest initial success rates they've ever seen.

The emails — disguised as airline flight confirmations — are highly customized with specific information tailored to their targets, and are tricking employees into opening them 90 percent of the time

Time to warn your users. Here's what to watch out for:

What the emails look like

According to Barracuda researchers, in some cases, the emails are designed to impersonate flight confirmation messages from travel agencies. In other cases, attackers have been able to spoof the email addresses of employees in HR or finance, so the messages look like they're coming from within the victim's organization.

Attackers are specifically targeting organizations in industries known for employing frequent fliers, and are carefully selecting the details they use in the emails to make them appear more legitimate.

Subject lines include itinerary information — including airline, destination, and ticket price — that all make sense in the context of the organization and the recipient. 

Screen Shot 2017-04-06 at 11.52.38 AM.png

Example subject line that's been tailored to the victim


How victims are getting infected

Researchers have spotted two varieties of these attacks:

Scenario 1: Malware hidden in PDFs or Word docs
Some emails contain malicious attachments disguised as flight itineraries or receipts in either PDF or DOCX formats. Once opened, malicious code hidden in the documents tees up and executes malware designed to hide away on the victims device and collect data it then transmits back to the attackers.

Scenario 2: Links to fake websites designed to capture credentials
Instead of using attachments, other campaigns are tricking victims into clicking links that take them to websites designed to either look like legitimate airline websites or even imitate expense systems used by the target organization.

The sites include fields to collect victim information attackers can then use to further infiltrate the organization's network. 

Attackers are investing time into creating highly personalized phishing emails — and it's working

These unfortunately aren't your average spam emails. Attackers are going to the trouble of researching their targets, tailoring their messages with just enough personalized details to avoid scrutiny, and using malware that quietly steals information over time. There's a level of patience and professionalism here that make these attacks stand out from the typicial "smash and grab" ransomware attacks we've been seeing so much of lately.

How to protect your organization from these attacks

Step 1: Make employees aware 

Share this alerts with all relevant employees, specifically those who travel frequently as part of their role. Let them know this is an active threat and show them what to watch out for.

Step 2: Explain how to check flight confirmations the secure way

Let employees know any time they receive emails either confirming or providing updates on flight details they should avoid clicking links provided in the email and instead visit the airline website by typing it directly into their browser. 

Step 3: Be prepared to step in and block malware at runtime 

Training users to be more aware of the threat that phishing poses, and helping them recognize the tell-tale signs of phishing emails is crucial. That said, users are only human, and they will make mistakes. It's important to support them by making sure you have runtime malware defense (RMD) in place to protect your organization if and when a user does get fooled. 

Blocking these attacks at runtime 

It's unfortunately become fairly routine for attackers to use techniques to sneak their malware past static file-scanning solutions like antivirus and even next-generation antivirus

Because RMD doesn't attempt to guess what a static file will or won't do, it can't be fooled by those techniques. Instead, it watches system activity and shuts down malware processes at the first sign of malicious behavior during runtime. 

In the case of these phishing attacks, an employee can be tricked into inadvertently executing the malware payload, but RMD will block it before any harm is done. As phishing attacks continue to become more and more sophisticated, it's more important than ever to provide employees with safety nets that can protect them from inevitable mistakes.

To get more security alerts like these delivered straight to your inbox, subscribe to our blog

To learn more blocking malware during runtime see our Complete Guide to Runtime Malware Defense.

Feature image by Matthew Kane

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical perspective.


Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.