Kaspersky has uncovered a cyberattack that is being used to rob Russian banks. The attack is being called “well planned and executed” in the press.

The attack is a model of deception — the core of spearphishing. Deception is not a computer science concept; deception is a concept of human cognition. Spearphishing is deception perpetrated with computers. Attackers know that people open email based on perceived relevance, urgency clues and habit. In this case, the attackers knew that bank employees would perceive emails from FinCERT, the Russian banking regulator, as relevant and urgent, and would, as a matter of habit, open such emails.  Armed with this knowlege of people, the attackers obtained the domain “fincert.net” and used this domain to send alluring emails with malicious attachments. Kaspersky provides a sample attack email:

Fake FinCERT Email

Email detectives will recognize that fincert.net is not the real domain of FinCERT.  FinCERT’s real domain is cbr.ru. FinCERT sends real emails from fincert@cbr.ru, not info@fincert.net. It is particularly important to observe how this extemely effective deception did not use a domain that was in any way similar to the real domain.  fincert.net is not cbr.ru. Technical defenses such as DMARC would stop bad guys from using cbr.ru, but would not stop the use of domains that trick users — in this case fincert.net. This class of domain is known as a “cousin domain” because it appears to users to be related to the trusted domain. This attack worked because the recipients’ mistaken conclusion that fincert.net is a trusted sender and that mistake was reinforced with a well-crafted message that is consisent with the trust reposed in the real FinCERT.  In this case, the attack message was about a real security incident – exactly the sort of message a bank would expect to receive from bank regulators.

SP Guard is designed to disrupt email deception.