A group of attackers masqueraded as FinCERT in a recent phishing campaign that targeted dozens of Russian banks.
FinCERT is a department of the Russian Central Bank. In 2014, the Russian Security Council issued an order in which it called for the creation of a center that would respond to targeted attacks and fraud. FinCERT was the country's response.
Alexander Gostev, chief security expert at Kaspersky, has blogged about the phishing campaign on the security firm's Russian portal. At this time, there is no version of Gostev's report available in English.
Fortunately, Salted Hash has provided an overview of the attack.
On March 14, the bad actors behind the phishing campaign registered fincert.net--a fake URL for FinCERT, whose legitimate domain is cbr.ru.
The next day, the attackers sent out a series of phishing messages to their targets. These messages were sent out at around noon presumably in an attempt to capitalize on worker inattention near lunchtime. Additionally, the emails properly incorporated names and addresses from the target banks, information which Salted Hash has confirmed is not discoverable via a public web search.
On March 16, the attackers again sent out targeted pieces of correspondence. The messages themselves included a few spelling errors. However, the attackers took their time on the email attachment--a Word document formatted to look like a legitimate FinCERT bulletin.
Upon being opened, the document downloaded a file that was signed with a valid code certificate by a Moscow company a few hours prior and which was issued by Comodo. That file, in turn, downloaded a remote administration tool (LiteManager 3.4) onto the target's machine.
It is currently unclear whether any banks fell for this attack.
As Salted Hash is careful to emphasize, these bad actors went to great lengths to make their phishing campaign appear as legitimate as possible. This included taking great care in formatting the emails, the malicious attachments, and even the fake domain of an organization that is supposed to help organizations avoid computer criminals.
But the attackers did make a mistake in not noticing some spelling mistakes in their messages. Grammatical errors are a tell-tale sign of bad actors looking to phish for your credentials. Any security awareness training program with a phishing element will emphasize that fact and will give employees the tools to help them stay alert for scams and other attacks, even if it's lunch time.