Cloudmark Trident Blocks W-2 Spear Phishing Attack

Cloudmark’s new spear phishing protection solution, Cloudmark Trident, successfully detected a recent series of spear phishing attacks that are tailored to steal employee W-2 tax information from businesses. This attack has been escalating recently, with the spear phishing attack successfully extracting the personal data of thousands of employees from business such as Seagate Technologies. Coming from an organized group of fraudsters impersonating an executive at the target company, these phishing attempts target HR and finance departments with requests for all employees’ W-2 tax information. This method of attack has been successful enough to capture the W-2 information of an entire company’s workforce every week, on average, so far in this U.S. tax season. Where general phishing messages attempt to lure a wide audience into taking some prescribed action for the attacker, spear phishing messages go further and personalize the attack content to a specific individual, leveraging likely existing trust relationships the intended target has. This type of focus on specific business employees is often referred to as a Business Email Correspondence (BEC) attack. Attackers leverage detailed knowledge of the company to slip in and gain a user’s trust. In this case, the attackers forge emails that appear to come from the companies CEO. These forged messages asking for employee W-2’s are then sent to individuals in the HR or finance department. This custom tailored scenario is so specific, from your CEO to you, that the fraudulent request often goes unquestioned.

Stopping the Problem

Disclaimer: due to data privacy concerns, the company and individual names have been redacted. BEC attacks of this exact nature are now being seen at Cloudmark trial customers during this year’s U.S. tax season. An employee, referred to by the redacted name “Jane”, of this business, “Acme”, received a message this past week from what appeared to be the CEO, “Joe Smith”, with the subject:

Subj: Request for all employees' 2015 W2

However, before this spear phishing attack ever landed in Jane’s mailbox, Cloudmark Trident was able to automatically detect and stop the message. Cloudmark Trident used several criteria to detect that the message was in fact not legitimate. First, through Cloudmark Trident’s behavioral analysis capabilities, it was able to deduce that the email was impersonating Joe Smith’s (CEO) email address. It was also able to use it’s state-of-the-art context analysis engine to classify the email’s call to action reply-to as an impersonation attempt. Cloudmark Trident also leverages Cloudmark’s Global Threat Network, the world’s largest commercially available messaging threat database, to determine illegitimate domains and IPs that are used in these attacks.

Successful Attacks

Unfortunately, not everyone's mail has the same level of protection. Brian Krebs of Krebs on Security broke news Sunday that the popular data storage company Seagate Technology recently became the newest victim of this exact same form of spear phishing BEC attack. A spokesman for Seagate, Eric DeRitis, confirmed that its current and former U.S.-based employees’ W-2 tax forms had been sent “to an unauthorized third party… by and employee who believed the phishing email was a legitimate internal company request.” While no specific number was given, the spokesman did acknowledge that thousands of employees were impacted by this mistake. Sadly, employees of Seagate Technology are not alone. Steve Ragan of CSO Online details numerous other incidents in recent weeks that are nearly identical to Seagate's. Snapchat, and subsequently its employees, suffered a similar blunder a week ago. This led to roughly 700 employees having their information stolen. Prior to Snapchat, Central Concrete Supply Co., Mercy Housing Inc., Magnolia Health Corporation, BrightView, and Polycom have all been taken by this type of spear phishing. Considering that the U.S. tax season began seven weeks ago on January 19th, one company a week is known to fall victim to this W-2 spear phishing. While companies should educate their employees about these type of attacks, even savvy users can fall victim. To completely protect your organization, you need both educated employees, as well as technology that can stop spear phishing attacks before they reach the inbox. Click here to request a free trial of Cloudmark Trident. For more information on Cloudmark Trident, visit the Cloudmark Trident Product Page.