Spear Phishing Targets Rock and Mineral Clubs

Take common-sense steps to protect your club.

0

by Mark Nelson, AFMS BEAC
(AFMS newsletter)

We know that “phishing” is an attempt by criminals to use means such as the internet and emails to obtain money. Using emails, there are two ways you can send phishing campaigns.

The first is “spray-and-pray”, which is a shotgun approach. Get as many email addresses from the organization you can, and send them all an email that they might click on.

The second approach is to decide what data you are after, then figure out who has access to that data and specifically target those people. That is the spear phishing approach. There are thieves out there who believe that they need the treasury of rock and mineral clubs more than do the members of those clubs! Spear phishing attempts are not typically initiated by random hackers, but are more likely to be conducted by perpetrators targeting specific people or groups for financial gain. This was first brought to my attention in 2015, and it is still affecting rock and mineral clubs throughout North America. Knowledge is the best armor against becoming a victim of these criminals!

Spear phishing is an email targeted at a specific individual or department within an organization that appears to be from a trusted source; it’s actually cybercriminals attempting to steal confidential information or to convince a person to send them money. These criminals know that our hobby is staffed by volunteers untrained in cyber security.

In our hobby, we have websites that serve to share our hobby with our members and prospective members. We post past issues of newsletters for reference and so that prospective hobbyists can see the enjoyment that we bring to those who will participate in it with us. In a spear phishing attack, threat actors use their acquired knowledge of the potential victims to target them, and that approach allows them to tailor the attack. These emails are more convincing and harder to detect than regular phishing emails. The attacker knows exactly who and what they’re targeting.

These cyber criminals use a technique called “water-holing”. This technique takes advantage of our hobby websites that people regularly visit and trust. The attacker will gather information about a targeted group of individuals to find out who to target at those websites. Often, there are emails listed for key people, and they know that. They mine our websites for terms such as “president” and “treasurer”, and they read more to get the emails of the individuals that they will be targeting from those groups—particularly for the club’s treasurer.

Cybercriminals create bogus profiles to try to trick the person with the information or money that they want. They will impersonate a celebrity or one of your friends or colleagues. These profiles look very much like the real thing, and it’s easy to get tricked. They try to impersonate a person that the bad guys already know you like and trust. They will then send fake emails to attempt to steal money or information. These criminals are targeting institutions, businesses and individuals. The examples and defenses can take a lot of explaining, but this is typical of how it works in our hobby:

  1. The cyber criminals (we’ll call them the Red Box group) have identified the Ace Mineral Club as one that is active and that has a lot of members and activities. They know that activities need money and that members equal money. They know that most of these groups have vendors from which they buy supplies, equipment, parts and such. The criminals also know that our clubs may have annual shows, and that at these shows are people we call “vendors” or “dealers”.
  2. The Red Box criminals have identified Melinda Stone as the president and Alice Agate as the treasurer of this group.
  3. With email providers such as AOL, Gmail, Hotmail and such, there is a simple way to have your outgoing emails read your name instead of your email address. This gives you the option to have your outgoing emails sent with a degree of personalization. Red Box changes the name on his email to Melinda Stone.
  4. Alice Agate, the club’s treasurer, receives an email from Melinda Stone. It reads something like this: “Alice, What’s the status of the payment to the vendor? Has it been processed yet? Please send $2,715.43 to Able Arnold, P.O. Box 243 in Random City as quickly as possible! I’m tied up in a project at work, please reply by email when this is done. Melinda.”
  5. Alice has never been advised by Melinda to do anything that wasn’t in the interest of the Ace Mineral Club and she trusts her. What Alice does next will determine the fate of those club funds. I know for a fact that these sorts of spear phishing activities have resulted in club monies being sent to the bad guys in response to fake requests. These criminals are not trying to take over your computer to try to get data. They are going after YOU instead. They know that they don’t need as many technical skills to find one person who might be willing, in a moment of weakness, to open up an attachment that contains malicious content. This means it does not matter if your workstation is a PC or a Mac, a tower, laptop or workpad. The last line of defense is—you guessed it—YOU!

What can we do to prevent this kind of theft? First, if the email request is unexpected, look at the email of the sender and hover your cursor over the name. This may expose the true sender. You may also be able to right click on the name to expose the actual sender. Many times, the attacker will employ a sleight-of-hand (like magicians do) so you think you are reading an email address correctly, but they’ve actually switched out, added or replaced characters (commonly known as substitution and transposition). It’s common to see legitimate email addresses with an “m” replaced with an “r” and “n”, a lowercase “L” switched out with the number “1”, or a .com email reading as .co instead. Even the slightest change in an email address means the email is going somewhere else. In the case of our president’s email of melindastone, the “rn” substitution would make it look real: rnelindastone.

Second, make sure that the members of your society or club’s board of directors are aware of these rock and mineral hobby attacks, and that they have policies in place to prevent checks from being issued to the criminals. These policies should include:

  1. All checks are kept with the Treasurer.
  2. No signed or blank checks are given to anyone else in the club “just in case”.
  3. No checks are created without prior board approval that specifically lists the payee, expense category, and the exact approved amount.

Third, forward all fraudulent phishing emails to the U.S. Department of Homeland Security Computer Emergency Readiness Team’s Anti-Phishing Working Group: phishing-report@us-cert.gov.


Additional resource:
What Is Phishing? https://www.avast.com/c-phishing