Recent alerts from security vendors Kaspersky Labs and Mimecast warned about a current rise in both phishing and whaling activity, urging their users to take precautions and minimize their risk of becoming the next victims to cyber criminals.
What is whaling?
Whaling refers to targeted spear-phishing campaigns directed at senior executives at mostly large corporations, who often have access to sensitive information like employee or customer data, and may also control large balances in banking and securities accounts. A successful attack can yield executive passwords and other account details that can open up corporate hard drives, networks, and even bank accounts. Some whaling campaigns can even go after secret military and other government information.
According to the FBI, which calls whaling campaigns “Business Email Compromise” (BEC), as many as 7,000 US businesses have been victimized by such scams over the past two years, resulting in some $740 million in losses.
How does the bait differ from “regular” spear-phishing emails?
A regular phishing email will typically address a personal aspect of the target’s life, for example a vacation offer that is time-sensitive, a fraudulent warning from a bank claiming to charge their account unless they provide their ID and password, etc.
A whaling email will likely take the form of a critical business email customized to a senior executive’s specific position and responsibilities in the company, and relating to a company-wide concern. It will hook its target with a sensitive business matter that requires an immediate response from senior management. Whaling campaigns will often target an individual within the firm that has the authority to make wire transfers on behalf of the organization.
Profile of a typical whaling email
There are two main types of whaling emails. Whaling phisherman may send an email that appears to be a request or instruction from a trusted source such as a company department head or the CEO. For example, staff handling sensitive financial data may receive what appears to be a request from the IT department asking them to login and reset their passwords.
Another type may be in the form of a subpoena or other legal action requiring a response.
Who is at highest risk?
Executives who have excessive information on their Facebook or LinkedIn pages are prime targets, as whaling campaigns are usually based on personal information gathered about the target from social media sites. The more exposure and personal information the target is shares publicly, the greater the risk that this information will be used to manipulate him/her.
What makes whaling so insidious?
Most senior executives are aware of malicious spam, and whaling tactics have become more sophisticated as a result.
The attackers may take months to research the company and find out as much as possible about the target in order to craft the email in a way that seems totally legitimate to the recipient.
A successful attack depends on convincing the target of the message’s authenticity. The email message will have a reasonable rationale and will build trust by including relevant and specific information that seems confidential. In reality, this information is usually obtainable through public sources such as business directories.
The Role of Social Media
Powered by corporate databases and social networking sites, any bit of information an attacker can find will be useful. Beyond the name and position of the executive, a skilled whaler may search on social media and find out about a specific hobby or charity that s/he is involved with, crafting a very individualized email. Executives with open public profiles are prime targets for whaling attacks. Whalers can use birthdates, addresses, obituary notifications and more to siphon information and entice their targets to click.
By responding to a Call to Action, the executive will likely release embedded code that gives the hacker access to specific networks where these individuals work or store sensitive data.
For example, the code may allow the attacker to remotely control an executive’s computer or log its keystrokes, so in the matter of a few days the hacker would have access to personal account data and company passwords which could lead to large individual and company losses.
The First Big Catch: 2008
In a well-known 2008 whaling scam, the whaling attack targeted 20,000 senior corporate executives using their actual name, company name, and phone number. The attackers drafted an email that looked like an official subpoena requiring the executive to appear before a federal grand jury and included a link for more details about the subpoena. Roughly 10% of the executives actually clicked the link, downloading a keylogger and a back door. Passwords and other sensitive data were sent back to the phishers, who, armed with access, launched further attacks against those 2,000 companies, causing considerable damage.
How to Outsmart Whaling Phishermen
So how can the CISO protect the enterprise and its executives from whaling? Lower the risks and train, train, train. Here are a few important guidelines to follow.
1. Lower the risk
- Minimize or lockdown the exposure of senior management on social media by implementing privacy restrictions;
- Review the finance team’s processes for initiating wire transfers and implement an additional layer of authentication and/or verification;
- Don’t rely on traditional security tools to safeguard network user information;
- Monitor suspicious emails by creating a reporting system;
- Assess your organization’s overall susceptibility to phishing attacks – have an accurate idea of what open source intelligence is out there that could potentially be used against the organization.
2. Train, train, train
- Increase awareness through an ongoing training and simulation programs with staged, real-world whaling emails and user-specific campaigns tailored to managers’ digital footprints;
- Update managers on the latest social engineering techniques.
Coming soon…. New ransomware on the block….