What We Can Learn from Spear Phishing Attacks: An Interview with Russ Vander Mey

During the month of January 2020, Barrington 220 experienced several targeted spear phishing attacks across a few of our schools. While we have some excellent systems in place that do an excellent job of identifying and blocking many types of email-based attacks, spear phishing is the is among most difficult to identify using automated systems. Luckily, many of our Barrington 220 employees noticed that something was “fishy” and immediately contacted our Tech Support team, who were able to immediately begin to take steps to thwart the attacks.

To review, a basic phishing attack is, “the process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity using bulk email which tries to evade spam filters” (KnowBe4, 2020a). Spear phishing is similar, but even more targeted and insidious: “an email targeted at a specific individual or department within an organization that appears to be from a trusted source” (KnowBe4, 2020b).

I sat down with our own Russ Vander Mey, Director of Technology Services, and we reviewed the issues, patterns, and lessons we learned from these recent attacks here in Barrington 220.

Russ indicated that the January 2020 attacks were all defined as “CEO Attacks.” In other words, “a scam in which cybercriminals spoof company email accounts and impersonate executives to try and fool an employee” (KnowBe4, 2020c). Of course in education, our organizational leaders are superintendents and principals, not CEOs, but the definition still fits the attacks we experienced.

Russ explained the situation. “The ruse was that an attacker contacted employees by email using fake email addresses that impersonated the superintendent or principals. It happened at several of our schools.” Russ noted that the fake email accounts were all Gmail accounts, likely because they are free, easy to create, and perpetrators can name them almost anything. An example fake email account in these attacks would have been brianharris12345@gmail.com or stevemcwilliams54321@gmail.com.

WHAT WE CAN LEARN: Check the To: field. All legitimate Barrington 220 staff email accounts end in @barrington220.org and NEVER @gmail.com. 

Russ continued, “when the attack would begin, the perpetrator seems to have already created the messages, and they send them out all at once to the teachers and staff in a particular school.” How did they get all this information? “The email addresses were found by visiting the public district website and identifying the school leader. Then the attacker used the directory to pick teachers and other staff members to contact.”

The attacks followed a similar pattern, according to Russ. The first email sent was usually short: “Do you have a minute?” This was sent to several staff members at the same time. If a staff member replied, the attacker knew he or she had the staff member's attention. The next email followed quickly with a fictional story stating, for example, (impersonating an administrator) “I’m in a meeting right now and can’t get to a phone. I need 5 Amazon gift cards immediately! Please run down to the store and buy 5 $100 gift cards. Scratch off the numbers on the back and send me a pic. I’ll pay you back this afternoon.”

Another pattern we saw was that the attacker usually wrote in non-standard English (incorrect grammar or other mistakes) and sometimes used expressions that would unlikely be used by the leader being impersonated. For example, in one situation, the attacker impersonating our Superintendent asked to “send me your digits.” While our Superintendent was aware that this was slang for “send me your phone number,” Dr. Harris indicated that this is not a phrase he would ever say, let alone type in an email to a staff member.

WHAT WE CAN LEARN: School district leaders will not ask you to purchase gift cards or provide confidential information. Also be aware of how an email is written. Leaders will not likely write emails using slang or incorrect English.

Since this original series of attacks in January, we have had no additional major spear phishing attacks. Each time our Tech Support team learned of an attack, we immediately escalated the problem to and went to work mitigating the threat. Our efforts include sending emails to the affected school staff (or sometimes the entire district), blocking known fake emails, and assisting staff members who may have responded to one or more of the email attacks. These emails about attacks will usually come from Russ Vander Mey.

In general, if an email doesn’t seem quite right, please contact a member of the Barrington 220 Tech Support staff (x. 1500); your building LTA (Library/Technology Assistant) or Teacher Librarian; or if possible, check in with the administrator in person who allegedly sent an unusual or out-of-character email. Please exercise the tactics we are teaching in our Security Awareness training we are holding in every building. If you have not yet had the training, you will likely have it soon.



References

KnowBe4. (2020a). Phishing. Retrieved from www.knowbe4.com/phishing
KnowBe4. (2020b). Spear Phishing. Retrieved from www.knowbe4.com/spear-phishing
KnowBe4. (2020c). CEO Fraud. Retrieved from www.knowbe4.com/ceo-fraud