May 2017, Issue 89


Beware of spear phishing
Centre for IT Services


What is Spear Phishing?
Spear phishing is an email-spoofing attack that targets at specific individual or organization to seek unauthorized access to sensitive information. Spear phishing attempts are not typically initiated by random hackers, but are more likely conducted by perpetrators out for financial gain, trade secrets or military information.

How it works?

Cybercriminal uses social engineering such as making phone calls posing as a co-worker asking questions to gather information about the company and its operations. A malicious phishing email is then sent out to the target organization using the name of someone generally in a position of authority to make the malicious email seems more trustworthy.

Professor Aaron Ferguson, a visiting professor of the United States Military Academy called it the “colonel effect”. As an illustration, he sent out an email message appearing to come from a Colonel Robert Melville to 500 cadets, asking them to click on a link to verify their grades. Over 80% of the recipients clicked on the link in the email message. In response, the recipients received a notification that they have been duped and a warning that such behaviour could have resulted in the download of malicious malware.

New Spear Phishing Campaign

A Cybercriminal group, FIN7 recently launched a new spear phishing campaign to target at retail, hospitality and financial organisations.

The targeted organisations are from the US with global presence which include:

  • Financial services with victims having insurance, investment, card services
  • Transportation
  • Retail
  • Education
  • IT Services
  • Electronics

The FIN7 group embeds LNK files in DOCX and RTF documents that execute VBScripts and PowerShell codes to infect the target victims with the Halfbaked backdoor malware. LNK file is a Windows shortcut file with direct links to executable files.

The Impacts

Once infected, the Halfbaked backdoor malwarre can perform the following actions:

  • Sends out victim machine information (OS, Processor, BIOS and running processes)
  • Takes screen shots of victim machine
  • Executes a VB script
  • Executes PowerShell script
  • Delete the specified file
  • Update the specified file

The FIN7 previous campaign deployed multiple point-of-sale malware variants to collect and pilfer sensitive financial data for fraudulent banking transactions, ATMs hijacks and other monetization schemes.

Useful Tips

  • Do not divulge personal and corporate information online, through emails or over the phone, as attackers may use them to draft malicious phishing emails
  • Do not click on suspicious links or open suspicious attachments in emails
  • Do not provide personal or corporate information over the phone

What should you do?

Always be suspicious of unexpected requests for confidential information, do not divulge personal data in response to emails or click on links in suspicious email messages.

For more advisory information, please check with our Service Desk (

Source: Quann Intelligence Advisory 036/2017