"The aim of phishing is normally to get full access to the machines and this attack is no different. However, because FIN4 doesn't actually drop malware onto victims machines, instead mimics normal user behaviours, it will make this type of activity incredibly hard to detect.
The simplicity involved in redirecting mails containing the words ‘attack’ and ‘phishing’ but yet successful shows the way attackers are bypassing modern day defences and exploiting end user behaviour.
Targeting of healthcare and pharmaceutical sector for fraud reasons is new, normally they are targets for intellectual property theft, but in this case, criminals have found a new way of insider trading- it was only a matter of time.
This case also proves how successful social engineering is – organisations need to keep staff educated on threats like this and help them understand why those in highly visible roles should consider minimising their online footprint.To minimise the risks, user awareness training is essential. If we can get people to report phishing emails in correct way, the original emails filtering through would be caught and dealt with, thus minimising the risk at the outset.
As people are the cause here, they are also the solution. Humans make mistakes and that’s why attackers target humans through phishing, this technique continues to be the most successful – in this example, the way attackers operate after shouldn’t matter, as long as the root cause is being fixed.
It is hard to stop employees opening emails from internal mails (i.e. once the attackers have already gained a foothold and using another account), it is also hard to stop rules being set up. So to minimise the risks of these attacks organisations need to install a security culture amongst staff. It is an internal communication plan along-side user behaviour change management that needs changing, regular phishing assessments help reduce this risk and create best practice."