As an MSP, you know phishing – the malicious attack of hackers against unsuspecting email recipients through identity-theft spam, malicious attachments and link baiting. “OMG! Look at this video you were tagged in!!” can be a fateful demise for any end user who clicks on the virus-containing ‘video’ promised in that message. The practice of whaling, however, takes it a step further by using carefully crafted, thoroughly researched attacks that target a company or organization's "big fish." Typically cybercriminals that whale prey on high level executives like CEOs, CMOs, or other key decision makers, seriously endangering the livelihood of any affected business in the process.
In the Heart of the Sea, a major motion picture that retells the sinking of the American whaling ship Essex in 1820, recently hit theaters. With all of the buzz surrounding the film and its retelling of the event that inspired the great novel, Moby Dick, we decided to capture the story of whaling as it relates to cybercrime...
How Whaling is Different from Regular Phishing
Whaling is not spam. It’s not the delivering of mass emails to users in hopes of catching a few fish. Attackers thoroughly research their company targets and learn the names of executive team members to use as leverage in their attacks. They’re not just after their targets' identities and login credentials like in traditional phishing efforts – they also want to take control of users' PCs to get confidential company information and anything else they could leverage to impersonate a major executive. Their research tracks down personal information like title, direct phone line, and names of key people in a business in order to use that in the social engineering of their attack. It’s quite a cunning process and involves extensive invasion of the executive’s privacy.
When You're Whaled
There are a few scenarios hackers use in whaling to penetrate your company’s confidential information. One way involves emailing targets genuine-looking but false subpoenas from the US Federal Court as a ploy.
Appear in court, and download this PDF for a full copy of your subpoena
According to Scambusters.org, nearly half of all antivirus software failed to detect the Trojan malware behind this linkbait. What they really download is a keystroke-capturing, data-mining software that still looks like a real legal document on screen.
Another option hackers use to infiltrate a company’s defenses is even more deceptive. After collecting information about the CEO, a false email is created almost exactly like his/hers – give or take a tiny variant. For example, if our CEO was IvanMoakley@thecompany.com, a hacker could create 1vanMoakley@thecompany.com. To an unsuspecting CFO, this tiny switch of the ‘I’ and ‘1’ could easily be overlooked. Using this false email, the hacker sends a direct message with high urgency and a seemingly authentic invoice requesting immediate payout to an outside vendor. In some cases, the hacker can even go as far as finding out which vendors a company associates with, and say the payout is being sent to an off shore branch of that vendor. Not wanting to argue with who he believes to be the CEO, the CFO will then take care of business and pay out the invoice right to the account the hacker has set up without thinking to check in-person or calling until it’s too late.
Whale Watching - How to Spot the Cyber Threat
There are a few things you should be watching out for in the world of cybersecurity. Standard red flags make it easier to spot the mistake, and knowing them to educate your end clients is critical in helping them protect themselves. A few things to warn key decision makers and C-level executives about include:
- Variations of English - sometimes scammers use British or Asian variations
- Phony Internet addresses (.com for a government email instead of .gov)
- Links that appear suspicious, and would take them to a site completely unrelated to the subject or company of the email received
- Limited name or other contact details from the sender
- Urgency for action or attention
- Misspelling of a CEO’s name, even by one varying letter, or the replacing of letters for numbers that look similar
It’s important to be skeptical of any email that asks you to log in through a link in the email. No legitimate online financial business will ever ask you to log in that way, and in today’s busy world it can be easy to impulsively click through without hovering over to see if the URL is what it claims to be - especially when this is masked by the illusion of your CEO or CFO’s email address.
“Advice to lock your door at night does little to stop you from opening that door to a criminal who is dressed as a police officer.” – John E. Clabby (Spoofing whales: how companies can protect their CEOs and CFOs from the ‘business email compromise)
Continue educating clients with:
By Lily Teplow
By Brian Downey
By Dave LeClair