Spear-phishing campaign impersonates Dubai Police official
Malicious emails read like terror alert from Dubai Police, according to Symantec
Cyber-criminals were last month discovered spoofing a Dubai Police email address in a spear-phishing campaign designed to trick recipients into executing malicious attachments.
According to the Symantec Security Response Blog, the spear-phishing emails read like a terror alert from the Dubai Police, and banked on users' fear of terror attacks to trick them into opening the attachments, which were disguised as valuable security tips which could help recipients to protect themselves.
To add more credibility to the emails, the cyber-criminals impersonated the incumbent Dubai Police lieutenant general, head of general security for the emirate, by signing the email with his name, Symantec said.
The emails came with two attachments - one was a clean PDF file used for decoy purposes, while the other was a .jar archive containing malware. According to Symantec, analysis of the malware confirmed that the cyber-criminals used a multi-platform remote access Trojan (RAT) called Jsocket. This is a new product from the creators of the AlienSpy RAT, which was discontinued earlier this year.
While this campaign was mainly targeted at UAE-based companies and employees, Symantec said that it had seen similar spear-phishing runs targeting three other countries - Bahrain, Turkey and Canada.
"Like in the Dubai campaign, the cyber-criminals are also using incumbent law enforcement officials' names in these countries to lend credibility to their fake terror alerts, which also purport to provide protective measures supposedly outlined in attached files. The group is expanding their reach and we may see new email models targeting additional countries," Symantec said.
"Interestingly enough, despite not being entirely written in the countries' respective official languages, the emails are pretty crafty. All officials used in the cyber-criminals' scheme are currently in office. The subject in most cases reflects the name of an employee who works for the targeted company. All these details show that the crooks did some research before sending these phishing emails. If they do not have any employee information, then they would email other targets in the company that could provide them an entry point, such as customer service representatives or IT department personnel."
Symantec said that the campaign was aimed at various large companies in the Middle East and Canada. And while the campaign does not target a specific industry, Symantec said that it had observed such emails being sent to the energy, defence contractor, finance, government, marketing and IT sectors.