When you live in a cold-winter state like Ohio, there is nothing better than having relatives (parents, siblings, etc) in a warmer climate.  And for my wife and kids and I, it’s an awesome Winter change-up to spend part of Christmas break in Florida with family.  While the options for Florida activities fluctuate each year with the ages and interest of our kids, one thing (at least for me!) remains constant: saltwater fishing.

While in Florida last month, I was blessed by my father-in-law who treated me to a guided fishing trip in the back bays of the Southwest Gulf Coast.  As we boarded our fishing guide’s beautiful BayCraft flats boat, we noticed an unusual looking boat arriving to the docks that we were departing from.  When we inquired about the vessel, we found out that it was a commercial crabbing boat, used specifically for harvesting Stone Crab.  (Their claws are filled with an absolute mouthwatering meat: a sweet delicacy of SW Florida, and at $39.95 a pound they are crustacean gold.)  Continuing our shouts in conversation from one boat to the other, what I learned about the harvesting of these crabs really astounded me.

During a 7 month season, crabbing specialists are continually baiting traps, retrieving them and hoping for prized Stone Crabs. Crabs that are harvested have to meet a few requirements:  the claws must be at least 2.75 inches and the captured crab can’t be a pregnant female. If a crab meets these requirements, the crabber will snap one of the claws off while leaving the other intact.  The crab is then thrown back to re-grow the lost claw (a process called molting).  And while it is currently lawful to harvest both of a stone crab’s claws, crabbers will usually only take one claw ensuring a plentiful harvest the next season. The molting process requires a large amount of energy in the form of food so leaving one claw intact gives the crab the ability to obtain necessary food and defend itself. Fascinating, huh?


Why I tell this story:

As I have written in past columns (human shielding techniques, etc.), Church IT Director’s should already be on alert that their network’s are becoming high profile targets.   Toward the end of the 3rd Quarter of 2014, we (Thirtyseven4 labs) began to see a significant increase in cybercriminal data harvesting.  Like the crabbers in Florida, the data harvesting, (in the form of email gathering) our Thirtyseven4 Labs observed was very specialized and the attacks were directed at administrative staffs of medium to large size Churches. And like the Florida crabbers “crustacean gold” value of the claw-meat, the cybercriminals desired “catch” (thousands of email addresses) is also priceless, because they are using that data to get at staff payroll information and other personal data.  (I wish this was a fish-tale, but it’s not.)  Cybercriminal harvesting emails addresses is on the rise and is scary stuff!

This style of attack works in the following way: The cybercriminal harvests the email addresses listed on church websites.  As the Stone Crabs have “requirements” to be met in order for a crabber to keep a claw, today’s cybercriminals have their own “requirements” as well—requirements that will best financially benefit them.  If the harvested emails appear to be from a smaller church or look to be from volunteer workers (people likely not to be associated with payroll) they are disregarded for this style of campaign.  These email addresses aren’t likely tossed back but instead kept to be sold to spammers or other criminal gangs.  If the harvest email addresses appear to meet their specific requirements, we have observed that these users are then targeted with a phishing email.  The phishing email will appear legitimate and originating from the Church.  Here’s an example.

Subject:  Confirm Your Salary
Body: “Kindly verify the ATTACHED documents.  Your email log in would be required to view for approval. Thanks, [the website’s Business Manager Name].

In this case, the “ATTACHED” wording is a hyperlink.  A user tricked into clicking this link will then get directed to a spoofed webpage. This spoofed webpage has been maliciously crafted to look like the organizations login screen where a user would enter their login credentials and this information would be relayed to the attacker.  Once the attacker has the login credentials, they can then perform untold amounts and variations of malicious activities including re-routing direct deposit information.

The above is just one example, and the subject line is routinely changed.  Other observed subject lines include “Salary review Documentation” and “2015 Salary Adjustments”.

Using an alternate technique, we’re also seeing similar emails circulating but instead of embedded hyperlinks they contain malicious attachments.  In our samples, the attachment name altered from “Payment Slip.zip” to “Pay Slip.zip”.  Downloading and running the file within the compressed ZIP folder results in installing a ZBot Trojan.  This Trojan’s main function is to steal information. In this particular case any time a banking website is opened, the Trojan intercepts the data and uploads it to an attacker-controlled server.

If this alerts you, it should.  Our labs are seeing it, and this article is to warn and inform so that we can be better prepared as churches and business people.


In conclusion, I offer a couple things:

(1) Communicate with your staff about these phishing emails and their topics/general gist.  Make sure they are on their guard about clicking any hyperlinks and being very reluctant to share any personal information without first confirming it or looking into it with someone on staff that may have knowledge of the request.

(2) Avoid the madness by unplugging yourself and whetting a line in Florida instead of working yourself to the bone in Ohio (or wherever you are today).  (Trust me, it is therapeutic and restorative!)  Search for your own elusive Ladyfish, Red, or Jack as you bob in the ebb and flow of the tide and are warmed by the southern sun.  Life is too short, and God did tell us to rest once in a while.  And if you get a chance to check out the molting process of a Stone Crab, praise our Creator for his Supreme ingenuity and if you can afford to, treat yourself to a supper you won’t forget.