Whaling Goes After the Big Phish

The bigger the phish, the fatter the payoff for cybercriminals. That thinking is driving a spate of whaling cyberattacks targeting C-level executives and their employees around the globe.

Whaling attacks go far beyond the typical phishing expedition in that perpetrators do their homework and learn everything they can about their intended C-suite victims and their organizations to ultimately convince them or their associates to give up credentials, information and/or financial assets. They produce believable emails that appear to be from trusted internal or external business partners that actually contain malware and URLs to download malicious payloads and link to dubious web sites all in hopes of a handsome payday. Whaling uses social engineering to prey on the weakest link in cyberdom:  humans.

I expect the surge in whaling to continue because cybercriminals are having success duping top executives and their associates. Similar to advanced persistent threats (APTs), whalers study how people write, what their email looks like and whatever else they need to know to show potential victims the personal touches that really sell the impersonation. Producing genuine-appearing email is how the criminals succeed in convincing top executives the requests are real. A key part of the ruse is the request for confidentiality and the need to bypass approval channels.

Whaling Costs Enterprises Plenty
Successful whaling attempts are so believable and seemingly trustworthy that executives who should probably know better are clicking on links and attachments that appear to be from fellow executives, employees or business partners. One stellar example of this includes a senior executive with a security firm who received an email that appeared to be from an underling but was actually from a whaler. He was tricked into giving up employee W-2 data.

Another incident involved an executive from a major soft drink company that was in talks to choose a bottler in a highly profitable, under-serviced country. Before negotiations were completed, someone working under the executive was spear phished, and the whaler was able to harvest all email related to the negotiations, jeopardizing the talks and putting the company at a distinct disadvantage.

A third case involved a top executive of a 40-year-old company that made a unique product that had just one competitor in the world. One day the executive noticed the sudden appearance of a new competitor that was selling a nearly identical product but at a significantly lower price. It turned out that the man had been whaled. Through social media, the cyberattackers learned he had a passion for antique cars. They concocted an email with a link to a fake online auto trading ad for a car deal that was too good to be true. Excited by the car and the unbelievable deal, he double clicked on the link and almost immediately 40 years of research, development and blueprints were in the hands of an unknown competitor. The company was unaware that their information had been compromised until the new competitor showed up on the market six months later.

One whaling email can sink a company or cost top leadership their jobs. A January 2016 whaling attack against an Austrian aircraft parts manufacturer resulted in the loss of US $45,693,480 and the firing of both its CFO and CEO.

Challenges Go Deep
Email is the lifeblood of business today, so living without it is not an option. But addressing the whaling problem presents a number of challenges thanks primarily to the human factor. For example, employees who receive emails from high-ranking executives are often hesitant to question their validity. They want to handle any and all requests from higher ups quickly and efficiently to gain favor with their boss. On top of that people are often overworked, so the last thing on their mind is whether or not an email is legitimate. Finally, employees today are often less committed to their organizations than we would like. Allegiance to employers can be weak or nonexistent, so why should they care about whaling attempts? Your company’s whaling defenses are only as good as your least knowledgeable and dedicated employee.

Training, Training, Training
What can be done to protect organizations against whaling? In a word:  training. Training to increase education and awareness of cyber schemes such as whaling, phishing and the like, is critical to combatting these incidents. For email requesting out of the ordinary access to data or assets, secondary verification is critical. A quick phone call is all it takes. And always check the sender’s email address. Security should never be weakened in exchange for speed or expediency.

Training should be regular, engaging and include every person in the organization, including C-suite personnel. Poor or condescending training can be worse than none at all, so make sure you develop effective training and do not talk down to employees. Training and awareness efforts should be ongoing and can include weekly email blasts to reinforce training and maintain and increase awareness.

Obviously, if your organization has an IT professional with cybersecurity credentials such as a CSX Cybersecurity, Fundamentals,Practitioner, Specialist or Expert certificate, they can provide invaluable resources to ensure effective training.

Daniel Libby, Director and Chief Examiner, Digital Forensics Inc.

[ISACA Now Blog]