MSP Blog Logo

BDR

Business Growth

Cybersecurity

Help Desk

MDM

RMM

Sales & Marketing

Subscribe

Empowering Your MSP Business to Grow and Prosper—One Post at a Time

5 Ways to Improve Your MSP Service Level Agreement (SLA)

Featured Post

5 Ways to Improve Your MSP Service Level Agreements (SLAs)

SLAs are the foundation of your MSP business. They are essential to building strong client relationships and must be clear, reasonable and well-constructed.

Read Now

Whaling Cyber Threat: Targeting the Big Phish

Posted December 22, 2015by Alicia Lazzaro

Whaling Cyber Threat: Targeting the Big Phish 

As an MSP, you know phishing – the malicious attack of hackers against unsuspecting email recipients through identity-theft spam, malicious attachments and link baiting. “OMG! Look at this video you were tagged in!!” can be a fateful demise for any end user who clicks on the virus-containing ‘video’ promised in that message. The practice of whaling, however, takes it a step further by using carefully crafted, thoroughly researched attacks that target a company or organization's "big fish." Typically cybercriminals that whale prey on high level executives like CEOs, CMOs, or other key decision makers, seriously endangering the livelihood of any affected business in the process.

In the Heart of the Sea, a major motion picture that retells the sinking of the American whaling ship Essex in 1820, recently hit theaters. With all of the buzz surrounding the film and its retelling of the event that inspired the great novel, Moby Dick, we decided to capture the story of whaling as it relates to cybercrime...

 

How Whaling is Different from Regular Phishing

Whaling is not spam. It’s not the delivering of mass emails to users in hopes of catching a few fish. Attackers thoroughly research their company targets and learn the names of executive team members to use as leverage in their attacks. They’re not just after their targets' identities and login credentials like in traditional phishing efforts – they also want to take control of users' PCs to get confidential company information and anything else they could leverage to impersonate a major executive. Their research tracks down personal information like title, direct phone line, and names of key people in a business in order to use that in the social engineering of their attack. It’s quite a cunning process and involves extensive invasion of the executive’s privacy.

When You're Whaled

There are a few scenarios hackers use in whaling to penetrate your company’s confidential information. One way involves emailing targets genuine-looking but false subpoenas from the US Federal Court as a ploy.

Appear in court, and download this PDF for a full copy of your subpoena

According to Scambusters.org, nearly half of all antivirus software failed to detect the Trojan malware behind this linkbait. What they really download is a keystroke-capturing, data-mining software that still looks like a real legal document on screen.

Another option hackers use to infiltrate a company’s defenses is even more deceptive. After collecting information about the CEO, a false email is created almost exactly like his/hers – give or take a tiny variant. For example, if our CEO was IvanMoakley@thecompany.com, a hacker could create 1vanMoakley@thecompany.com. To an unsuspecting CFO, this tiny switch of the ‘I’ and ‘1’ could easily be overlooked. Using this false email, the hacker sends a direct message with high urgency and a seemingly authentic invoice requesting immediate payout to an outside vendor. In some cases, the hacker can even go as far as finding out which vendors a company associates with, and say the payout is being sent to an off shore branch of that vendor. Not wanting to argue with who he believes to be the CEO, the CFO will then take care of business and pay out the invoice right to the account the hacker has set up without thinking to check in-person or calling until it’s too late.

 

Whale Watching - How to Spot the Cyber Threat

There are a few things you should be watching out for in the world of cybersecurity. Standard red flags make it easier to spot the mistake, and knowing them to educate your end clients is critical in helping them protect themselves. A few things to warn key decision makers and C-level executives about include:

  • Variations of English - sometimes scammers use British or Asian variations
  • Phony Internet addresses (.com for a government email instead of .gov)
  • Links that appear suspicious, and would take them to a site completely unrelated to the subject or company of the email received
  • Limited name or other contact details from the sender
  • Urgency for action or attention
  • Misspelling of a CEO’s name, even by one varying letter, or the replacing of letters for numbers that look similar

It’s important to be skeptical of any email that asks you to log in through a link in the email. No legitimate online financial business will ever ask you to log in that way, and in today’s busy world it can be easy to impulsively click through without hovering over to see if the URL is what it claims to be - especially when this is masked by the illusion of your CEO or CFO’s email address.

“Advice to lock your door at night does little to stop you from opening that door to a criminal who is dressed as a police officer.” – John E. Clabby (Spoofing whales: how companies can protect their CEOs and CFOs from the ‘business email compromise)

 Continue educating clients with:

3-Mobile-Security-Quick-Tips-to-Share-with-Clients

Alicia Lazzaro is part of Continuum's Web Team as an Interactive Web Marketing Specialist. She graduated from Emerson College with an individually designed major incorporating the fields of marketing, publishing and journalism. In her spare time, she enjoys exploring Boston, binge-watching Netflix and cooking.

RMM 101: Must-haves for Your IT Management Solution
MSP Guide to Managed Services SLAs  [white paper]
comments powered by Disqus