According to one expert, the FIN4 attack group’s successful advanced phishing operations prove that phishing attacks can’t be thwarted solely with user awareness training.
Now, phishers are becoming so adept at crafting compelling lures that one expert has warned education alone is no longer enough to mitigate the most sophisticated phishing attempts. FIN4 is capable of using targeted language geared toward specific organizations and even individuals that increases the likelihood of eliciting the desired response. For instance, the FireEye report documented a phishing exercise by the group that was modeled as a whistleblower-style email, informing someone about an employee who had allegedly disclosed private business matters on the Web.
Don Jackson, director of threat intelligence antiphishing vendor PhishLabs, based in Charleston, S.C., said that details involved in FIN4’s execution of are typical of top-tier “whaling” attacks, those cases when an individual is subjected to spearphishing attempts because they hold valuable information or wield influence within an organization.