Spear Phishing Attacks in Malaysia

The integrity of Malaysian commercial and government computer systems continues to be threatened by the increase of spear phishing attacks by groups based overseas.

Phishing attacks occur where mass emails are sent out to multiple users enticing them to click on a link or open an attachment – which releases a malware payload to infect the smart phone, computer or IT system. Phishing messages often appear to come from a large and well-known company or website with a broad membership base, such as Google or PayPal; seeking to play on numbers with the larger the audience, the higher the chances of victims being successfully duped.

Spear Phishing Attacks
In the case of spear phishing attacks, the apparent source of the email is likely to be an individual within the recipient’s own professional or social group – generally someone in a position of authority or else from someone the target knows personally. The term `spear’ indicates that the target has been selected and their background researched, to increase the chances of success or else because the target is significant.

The main delivery vector for spear phishing attacks over the past few years has been via email. In Malaysia, email attacks were the most favoured weapon for a wide range of cyber-attacks in the country. During 2016, authorities discovered that one out of every 130 emails sent to users in Malaysia contained a malicious link or attachment. This has been an increase of four times in one year, indicating the growing problem for companies to protect their systems.

Spear Phishing Attack in Malaysia
An example of a successful spear phishing attack occurred in 2014 when around 30 computers at Malaysian law enforcement agencies covering the disappearance of Malaysian Airlines MH370 airplane were reportedly hacked, with perpetrators making off with confidential data on the missing aircraft.

Asia News Network reported in 2014 that the computers of ‘high-ranking officials’ in several Malaysian aviation and security agencies were hacked with classified information removed. The point-of-entry for the compromise was said to be a spear phishing attack, with a malicious executable file in the format of a PDF file. When the attachment was opened, the user’s machine would be infected with malware, allowing the hacker to gain access to their PC from outside and send stolen information back to an IP address in China.

The spear phishing email, with the subject line ‘Over the South China Sea’ and dated on 09 March 2014 – just one day after the Malaysian Airlines MH370 aircraft went missing – contained ‘sophisticated’ malware that was disguised as a news article reporting on the missing Boeing 777.

The timing of the email indicates that the malware was prepared prior to MH370 disappearing and launched by persons unknown to break into Malaysian government systems to extract information. Some Malaysian government agencies reported that their network was congested with email transmitting out of their servers – The emails contained confidential data from the officials’ computers including the minutes of meetings and classified documents. Due to the nature of cyberattacks, it is difficult to be certain who exactly was behind the attack and though the exfiltration IP address was in China, the attackers could be located anywhere around the globe.

Spoofed Email Addresses
Another phase of spear phishing attacks has been users receiving spoofed emails instructing targets to reset their Gmail or other online email password – diverting the target to a spoofed site where they enter their username and password. This information is captured by the attackers, allowing them access to the online email account. This method was used by attackers to access the Gmail account of John Podesta, former chairman of the 2016 Hillary Clinton presidential campaign. The hackers then downloaded emails, attachments, reports etc – details from Podesta’s emails were later leaked online to upset the Clinton campaign.

As the email attack vector is expected to continue to expand, employees and systems administrators should be aware that caution needs to be used before opening attachments or clicking on spurious web links. Effective filters and email security programs for effective Secure Email Gateway such as MailMarshal should be implemented as a first step to prevent users receiving infected emails.

Recent industry surveys in Malaysia have indicated that five out of every six large companies have been targeted with spear-phishing attacks. Small scale businesses also saw an increase with spear phishing attacks – often with attacks seeking access to online bank account details.

Current studies in Malaysia and the USA have noted that attackers were using stolen email account details from one corporate victim to spear-phish other victims within the company – often moving on to access those with higher administration permissions and so access more of the network and databases.

Ongoing Threat
Spear phishing attacks present a real and current danger to company, organisation and government computer systems – only effective filtering tools, education of users to the threats and continued vigilance can prevent these attacks.