I Spy With My Little EyePyramid: Siblings Phish Italy
In recent news, Italian siblings 45-year-old Giulio Occhionero and his 47-year-old sister Francesca Maria Occhionero were arrested for having installed malware on a major bank president’s system, 2 former prime ministers, a sitting mayor, a former deputy governor of the Bank of Italy and thousands more. While many of the details are still being questioned, one fact that has come out is that Giulio was one of the co-founders of the Westland Securities investment group. As a brief side note, while many news outlets are reporting these attacks as spear phishing, without seeing the emails to be able to confirm, we are hesitant to call it spear phishing. In order for it to be classed as such, the emails would have to be targeted against the recipient in particular. According to Phishing Dark Waters by our own Michele Fincher and Chris Hadnagy, a spear attack consists of the attacker doing in-depth research on a target and crafting the attack specifically for them. In this case, the goal was the installation of a malware package, and other than the list of people attacked, there is no evidence that the emails fit the rest of the criteria.
With hitting these targets, the siblings were able to get insider information on companies and banking decisions which could easily have netted them millions of dollars in revenue. Having a hand in the political and business spheres allowed them to move across a variety of verticals, gaining money and power as they went.
Phishing works by enticing a person to click or open a file through curiosity, fear, greed or any combination of emotions, which cause the reason centers of the brain to take a back seat to the amygdala, the emotion center of the brain. And make no mistake, phishing is effective. In the second quarter of 2016, phishing emails hit an all-time high, setting new records for the number of phish sent.
Interestingly enough, the duo was able to operate under the radar of law enforcement for nearly 7 years without any real investigation, with their activity spiking in 2014. How did they get caught? An administrator for ENAV, the Italian company in charge of air traffic control, received a suspicious email and reported it. This lead to the unraveling of the malware and tracing it back to the suspects.
In many cases, things to look for in a suspicious email are: Did you expect the email? Is it coming from a known source? Is it trying to compel you to an action by using an emotion (i.e. greed, fear, curiosity, use of a time constraint, etc.)? When you put your mouse over the link, does it go where it claims to? If the answers to any of these are no, you should contact your administrators immediately and let them review it. If you don’t have an administrator? Don’t click. Go to the site or source and try to contact the sender via known good channels.
As always be smart, be informed, and be safe.
For a detailed review of the malware used check out this link: http://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-inner-workings-eyepyramid/