Whaling is a recent derivative of phishing which can pose a real threat to business survival. Fred Touchette explains what it is and provides a checklist of preventative actions that organizations can take.
Phishing is an increasingly devious, almost artistic, threat. The ultimate goal is to trick a target into either downloading malware or disclosing personal or corporate information through social engineering, email spoofing and content spoofing efforts. Having snared an individual, there are a number of ways they can be exploited – from personal identity theft, to large scale corporate breaches.
Phishing is thought to have originated around 1995, but it was in 2005 that it become more widely recognised as an attack vector. More than a decade later and phishing is still an issue.
Phishers cast their nets wide, playing a statistical game in the certainty that a percentage of people will fall for the scam. As illustration, a 2015 study of 150,000 phishing emails, by Verizon partners, found that 23 percent of recipients open phishing messages, and 11 percent open attachments.
In the last decade, phishing education has raised awareness to the risks posed from messages arriving in mailboxes. As users question the legitimacy of emails, and conversion rates fell, phishers needed ways to hone their messages to increase the probability of success.
Unfortunately, in tandem the popularity of social networking sites has furnished phishers with a veritable wealth of information that can be used to legitimise their messages. Coined as ‘spear phishing,’ it makes it increasingly difficult to determine fact from fiction.
While it might seem all a little one-sided, there have been some wins for enterprise security. For starters, as phishers are playing a numbers game, firewalls and email gateways have become adept at spotting and blocking high volume traffic, meaning many campaigns never arrive in individual’s mailboxes. Another development has been the rise in anti-virus software that monitors and spots the tell-tale signs of messages containing malware, again diverting them away from inboxes.
As with any ‘profession,’ maximising return on investment is key, so unsurprisingly the scammers are also adapting their techniques, obfuscating their code to evade detection and reducing the volume of messages being sent. One tactic is focusing efforts on the ‘big phish’ in the pond – fewer targets, but bigger – in some cases MUCH bigger, returns!
The term ‘whaling’ is a play-on-words, reflecting the idea that an important person may also be referred to as a ‘big fish’ or in our case ‘phish.’
While having all the same characteristics of phishing, rather than casting a wide net the scam will target a specific end user: such as a C-level executive, database administrator or celebrity. Corporate websites, LinkedIn profiles, and even an organizations key Twitter accounts, all openly promote the identities of the high level individuals, thus divulging the key characteristics whalers need to ply their trade.
As with any phishing endeavour, the goal of whaling is to trick the target into disclosing personal or corporate information through social engineering, email spoofing and content spoofing efforts.
One example of a whaling attack (also referred to as CEO Fraud) that has yielded results is a ‘wire transfer’ scam. The victim, who is normally a high level executive, receives a spoofed message from a hacker posing as the CFO, or even CEO of a partner company, requesting a money transfer be placed for a vendor payment or company acquisition. Of course, instead of this money being applied to the vendor or merger in question, it instead is applied to a remote account the hacker controls.
These messages can be innocuous at first, with the hacker (disguised as an executive or internal employee) asking the victims if they are at their desks. To pull this off, the hacker sends the emails using a display address of the company’s domain, but uses a reply-to address of an external domain, often a free email service. Using this method, the victims can often end up conversing with the hacker via email without realising they are being duped.
This method has been used to steal thousands of dollars from companies in fraudulent transfers, often with the requests in the $20-50K range. While that is quite a bitter pill to swallow, many attempts are for much higher amounts and can lead to financial ruin for some companies.
A network hardware company called Ubiquiti was victim to one of these schemes in mid-2015, except instead of wiring tens of thousands of dollars, they were defrauded to the sum of $40M. They were able to recover a few million, but it is likely that the majority of the cash will never be back in their hands.
At the beginning of 2016 Belgian Bank Crelan, Crédit Agricole's Belgian subsidiary, announced that it had fallen victim of Whaling attack and had lost over €70 million ($75.8 million) in the process.
The FBI is on record as saying that companies around the world lost around $1.2 billion / €1.07 billion in the previous two years to whaling attacks.
Many companies spend much time and money on protecting their network traffic or public facing servers from hacks, which is extremely important. But these social engineering spear phishing attempts are why it is equally paramount to protect employee communications as well.
Don’t take the bait
While firewalls and anti-virus continue to have a part to play in defending an organization against attacks, the scammers are becoming increasingly canny in the type of campaign devised and the method in which they execute the scam.
To avoid the bait, organizations need to be equally devious. Here’s some tips to avoid the phisher’s net, and the whaler’s harpoon:
- As an organization, consider a different configuration for high level executive email accounts. For example if, as an organization, email addresses are typically firstname.lastname@example.org, instead use lastname.firstname@ or even firstinitial.surname@, better still a pseudonym that only trusted personnel will recognise – anything that makes it impossible for phishers to spoof.
- Initiate a process that must be followed when an unusual request is made: picking up the phone and verifying the request may have prevented some of the wire fraud seen in the last few years.
- Consider having a ‘secret phrase’ that top-level executives use when communicating to each other so that messages can be legitimised easily.
- Implement a policy that all messages are encrypted: while this wouldn’t stop a scammer sending a message and it being received, the fact it’s not encrypted should ring alarm bells.
- Mitigating the risk through the use of reliable e-mail and Web filtering solutions are essential.
While identifying the whaler net is tricky, it’s not impossible and much of the user guidelines still apply. If its sounds too good to be true, or just barmy, then don’t do it – challenge it!
Fred Touchette is manager of Security Research at AppRiver.