Application security, Malware, Phishing

Thar she blows: Whaling attacks likely to rise in 2016


Whaling attacks have seen a sharp increase and are expected to go up even more according to cyber-security company Mimecast.

In a new security advisory report, Mimecast said the company “has noted an increase in the prevalence of Whaling attacks on enterprises over the recent months.”  The advisory pulls together the findings of a survey, conducted earlier this month, of nearly 500 IT experts in the US, the UK, South Africa and Australia.

Its findings are stark. Fifty-five percent of the organisations surveyed showed an increase in Whaling attacks in only the last three months. The overwhelming majority of attacks come in the guise of the CEO (72 percent) or the CFO, those being the ‘whales' of the organisation and best placed to make, or order, financial transactions.

A whaling attack is fairly simple. An attacker sees a well-moneyed organisation and spoofs an email from an executive within that company. That email is then sent to another executive, preferably one with a hold on the company's purse strings, requesting that they deposit cash into a designated account. Simple.

This kind of scam goes around the common use of malware or advanced tools and works as a straight up grift. Of course, scams like this also work on the basis that so many companies are on the lookout for malware, and not the kind of social engineering that makes this simple scam so very easy to fall for.

It's not too hard to carry out either, eschewing as it does, technical sophistication in favour of classic tricks of the conman. As a result, notes the report, “the barriers to entry for this type of cyber-crime are painfully low.”

Orlando Scott-Cowley, cyber-security strategist at Mimecast told SC, “Whaling emails can be more difficult to detect because they don't contain a hyperlink or malicious attachment, and rely solely on social-engineering to trick their targets.”

Plenty of unsuspecting executives have fallen prey to exactly this scam. Earlier this year, the US-based cryptocurrency processor BitPay fell for it when attackers successfully impersonated the company's CFO, telling the BitPay's CEO to pay 5000 bitcoins (roughly £1,500,000) into one particular account.

Another tech company, Ubiquiti proved an even larger whale  in October when it lost £30 million with an email sent to finance staff which requested a rushed payment to a supplier because Ubiquiti's CEO was supposedly not in the office.

But how do these Whalers operate? Well, they first need to find out what company or organisation to target as well as the employees within. The finance department is a predictable favourite for attackers to drive their harpoons into.

Then, using what is sometimes known as open source intelligence, attackers start to build a more accurate picture of the company by using the kind of information that most people leave public. 

The advisory notes, “Social media provides attackers with much of the information they need; sites like Facebook, LinkedIn and Twitter provide key details that when pieced together, give a much clearer picture of senior execs in the target business.” 

LinkedIn can map an entire department while social media is replete with employees aching to tell the world of minutiae of their lives; innocuous to most people, but gold dust to the Whaler with purpose. The success of the attack rests heavily on this research.

Most of the time attackers will proceed to set up a domain with a similar name to the targeted company. Then, using that domain name, attackers will carefully craft their phishing emails with intentional structure and meticulous spelling and grammar, attempting to make it look as legit as possible. The last reported numbers state that five million businesses use Gmail which might explain why Gmail is the most popular, at 25 percent, ‘harpoon' to catch whales.

The first contact from the attacker, under the guise of an executive will be concise. Something like, ‘are you around?', before engaging in a conversation with the target, and then finally and fatefully asking for a large amount of money to deposited in a designated account.

In fact, attackers often cover themselves fairly convincingly, Peter Coogan, principal security response manager at Symantec, told SC. The scammers use "a few simple tricks to try and avoid arousing suspicion. The emails often state how the CEO is travelling or is in a meeting and can't accept phone calls. Many of the emails have 'sent from my iPad' appended, which could be included to reinforce that the sender is on the road or excuse the poor English in the message."

We're likely to see an increase in this kind of low barrier entry attack too says Scott-Cowley: “Cyber attackers have gained sophistication, capability and bravado over the recent years, resulting in some complex and well executed attacks.”

Adding, “as whaling becomes more successful for cyber-criminals, we are likely to see a continued increase in their popularity, as hackers identify these attacks as an effective cash cow”.

Coogan recommends user education as the most effective means of facing this mounting threat as "the most effective means of protecting companies against business email compromise (BEC) scams" including, questioning any emails requesting unusual actions. 

Users shouldn't reply to suspicious emails and should "obtain the sender's address from the corporate address book and ask them about the message". Perhaps most importantly, companies should use two-factor authentication for initiating wire transfers. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.