The Eurocontrol Phish: When the Routine Becomes Remarkable
The Eurocontrol Phish: When the Routine Becomes Remarkable

Security news over the past few weeks has been dominated by a number of innovative, sophisticated phishing and ransomware attacks that have proven alarming and highly destructive. When malicious actors manage to leverage Google's own network and apps to execute a widespread phishing scheme or marry ransomware to an exploit-based network worm, you can expect that the security industry, and indeed the mainstream news media, will sit up and take notice.

In this kind of news environment it is easy to lose sight of the fact that older, less sophisticated phishing schemes retain their ability to do damage to targeted companies and organizations, allowing confidence tricksters to siphon money through fraudulent means by employing well-worn social engineering schemes against overworked employees who regard all too many aspects of their jobs to be routine and unremarkable.

In what follows, we explore one particular confidence scheme that has been executed through email against companies and organizations within the aviation industry -- a phishing campaign that has been going on since at least 2010 if not earlier. Although we have little data on just how successful this campaign has been, the fact that the bad guys continue to pursue it suggests they have enjoyed some amount of success with it. More importantly, though, this campaign provides a blueprint for the execution of similar, targeted, industry-specific phishing campaigns.

What is Eurocontrol?

This particular confidence scheme is a variation of the typical CEO Fraud or Business Email Compromise phish, although some in the industry have noted characteristics that it shares with the now infamous 419 Scam and other similar advance fee scams. Targeted at companies and organizations that operate in the aviation industry, it attempts to leverage routine billing that potential marks receive from an organization known as Eurocontrol.

What is Eurocontrol? Put simply, it is the European Organisation for the Safety of Air Navigation. According to its own web site...

"EUROCONTROL is an intergovernmental organisation with 41 Member and 2 Comprehensive Agreement States. We are committed to building, together with our partners, a Single European Sky that will deliver the air traffic management (ATM) performance required for the twenty-first century and beyond."

Eurocontrol provides a number of air traffic management services to airports as part of a larger effort to create an efficient, integrated air traffic management system (ATM) for the whole of Europe. Airlines and aviation service companies that fly into or from airports where Eurocontrol has a presence are regularly billed by Eurocontrol for route and terminal charges.

It is this routine, regular billing process that attracted the attention of the bad guys, who recognized an opportunity to intervene in that process and fraudulently help themselves to payments that should rightly be going to Eurocontrol for ATM services rendered.

The Eurocontrol Phish

In this particular, industry-specific phishing campaign malicious actors representing themselves as Eurocontrol employees send emails to selected employees (usually in the accounting or finance departments) at airlines and aviation service companies. The social engineering scheme employed sees the bad guys attempting to persuade targeted employees that payment processes at Eurocontrol have recently changed, and that future payments should be sent to an updated bank account controlled, of course, by the bad guys themselves.

In our experience (provided by customer companies who have shared with us such phishes via the Phish Alert Button) there are two basic variants of the initial email that targeted employees receive: the short version and the long version.

The short version simply asks employees to notify the bad guys (posing as Eurocontrol employees) when they receive a new invoice from Eurocontrol:

Employees who respond as requested can expect to be engaged in an email exchange in which the bad guys provide "updated" payment instructions.

In the longer version of this phish employees are told that payment on recent Eurocontrol invoices has not been received and that they should expect to receive updated payment instructions for a new bank account:

A rarer version of the longer phish sees the bad guys simply proceed straight to the main point of the social engineering scheme, the updated bank details:

Many readers will recognize similarities between the Eurocontrol phish and CEO Fraud or Business Email Compromise phishes such as the ubiquitous wire fraud phish and W-2 phish. The key difference, of course, is that the bad guys here draw the authority needed to drive this phish not from the President or CEO of a company but rather from an outside organization with which targeted employees should already be familiar.

Making It Work

In the Eurocontrol phishes we have received through the Phish Alert Button (PAB) we have seen the bad guys employing a number of techniques to power this social engineering scheme.

1. The bad guys often spoof real Eurocontrol employees whose personal details and role at Eurocontrol can be found online. Indeed, targeted employees may have already communicated with these very individuals in previous exchanges with the real Eurocontrol. Even when not spoofing actual Eurocontrol employees, the bad guys go out of their way to present a convincing front, using full, detailed email signature blocks with carefully selected personal names that sound vaguely European.

2. The bad guys often use anonymously registered, fake Eurocontrol domains. Eurocontrol's actual domain is eurocontrol.int, but we have seen the following spoofed Eurocontrol domains used in Eurocontrol phishes:

eurocontrolt.net

eurocontrolint-eu.com

eurocontrolont.ml

eurcontrolint.net

eurocontrolinc.com

Sometimes the bad guys are lazy enough to email directly from Gmail or other free email accounts. Even then, though, they will still try to spoof the real Eurocontrol domain, and employees who do not check the actual email address they are replying to may fall into the trap nonetheless.

3. Eurocontrol phishes are often marked by poor spelling, punctuation, and grammar, as seen in several of the examples shown above.

4. Eurocontrol phishes are also marked by elaborate, overly formal language -- something that ought to raise eyebrows among employees more familiar with the simple, terse, to-the-point style of most Western business correspondence and email:

It is this odd quality that suggests some kind linkage with the 419 scams and other advance fee phishes that still to this day pollute employees' inboxes.

Perhaps the most remarkable aspect of this confidence scheme, however, is that it relies on employees themselves to provide the raw material to malicious actors that allows this social engineering scheme to succeed. When gullible, trusting marks respond to an initial Eurocontrol phishing email with data about the latest invoices received from the actual Eurocontrol or even provide copies of those invoices as well as copies of previous email exchanges, they are simply handing the bad guys all the tools they need to see this phish to a successful conclusion.

How do the bad guys expect to get away with such an operation? The answer is simple: because they can rely on the fact that all too many employees they target will regard anything to do with Eurocontrol invoicing to be routine, everyday, and not worthy of heightened attention or scrutiny. Employees who have become inured to particular attacks targeting regular aspects of their jobs are a threat to any organization -- especially when those employees are in a position to put hard-earned money in the hands of fraudsters.

Boring, Low-tech, But Still Deadly

The Eurocontrol phish has been with us for at least seven years, if not longer. What can we learn from it?

First, older, more unsophisticated phishing schemes remain a threat to businesses and organizations even as ransomware worms and other more technically noteworthy attacks grab the attention of the security industry. Employees and IT departments must remain vigilant.

Second, routine, everyday billing processes remain a ripe target for malicious actors, who can reliably exploit the fact that many targeted employees will not be on their toes when handling invoices that appear to be from companies and organizations they are familiar with. The Eurocontrol phish, then, can actually provide a blueprint for similarly targeted, industry-specific phishing attacks.

Finally, employee training is a must. When your employees are going toe-to-toe with practiced malicious actors seeking to extract your company's money from inattentive members of your finance and accounting departments, those employees need new school security awareness training. This kind of training helps your employees recognize when they are under attack by teaching them to recognize key red flags in the phishing emails that land in their inboxes. New school security awareness training then reinforces that training through simulated phishing campaigns that also allow you to measure their progress.

Sophisticated, exploit-driven attacks rightly command the attention of your IT department. Such attacks, however, should not become an excuse to be less vigilant to the threat posed by old fashioned confidence tricksters.