WHALING: CATCHING THE BIG PHISH
Written By Joe Danaher, Vice President and Chief Information Security Officer, Integrity IT
Whaling in malware refers to a much more sophisticated and targeted attack.
WH AL I N G : C A T C H I N G T H E B I G P H I S H
Whaling is not like phishing. By now, everyone has heard of and probably seen email phishing in action. Those malicious attempts by Hackers to trick you into providing information or installing malware from an email link or attachment. Many organizations have even held training sessions for their staff. However, most organizations are not familiar with whaling or even what that term means in the context of malware. Whaling is not like phishing. In a phish, a broad net is cast in hopes of catching any victim, so the target is not very specific. However, like Captain Ahab’s pursuit of Moby Dick, whaling in malware refers to a much more sophisticated and targeted attack.
Whaling requires more in-depth knowledge of the company that is targeted. Whaling requires more in-depth knowledge of the company that is targeted. The whaler researches his target to learn more specifics about the company and typically it’s leadership and the finance department. While your company may guard sensitive information, there is still a lot of “open source intelligence” or OSINT that is readily accessible for someone who knows where to look and takes the time to research. Most of this information can be readily found on the internet in plain sight. Your own website and social media sites like LinkedIn, Facebook and Twitter are some common examples that you may not have considered.
INTEGRITYKY.COM | 859.253.4284
Keep in mind that many hackers today are not sitting in their parents’ basement but rather they are well-funded, organized crime syndicates who have access to sophisticated tools that can automatically scan the internet for OSINT and aggregate it for them.
Also, to gain the depth of information the attacker needs to perform a whaling attack, they will simply call the targeted company and gain valuable information from your staff. The majority of whaling attacks involve targeting finance departments, often impersonating the CEO or CFO. The whaler may engage the victim in an email conversation that may begin with a simple greeting and typically a request involving a wire transfer of funds. There is no indication it is not from the CEO/ CFO in many cases except a subtle change in the email domain name. These whalers are sophisticated and will purchase domain names that are similar to the target company or are one of the top-level domain names you may not have purchased.
For Example: your company is Acmemanufacturing.com so they will register Acmemamufacturing.com or Acmemanufactering.com.
PAGE 2
WH AL I N G : C A T C H I N G T H E B I G P H I S H
The email will be from your CEO/CFO and will often address you by name. There are no malicious links or attachments like in a phishing email. Instead the whaling is designed to get you to trust the impersonator. Typically, the initial email is followed by the request for a wire cash transfer or payment to be made to a specific company that is also set-up by the attacker to receive the payment. Although this sounds like it couldn’t be successful, it is quite lucrative and has succeeded in netting millions of dollars from several large companies like Ubiquiti, Mattel, and Snapchat. Although these are large companies, even Integrity IT has received a whaling attempt. Early in 2017, two members of our finance department received a request from our CEO for a wire transfer to someone claiming to be a contractor in the Midwest. Fortunately, the greeting used was not a greeting our CEO typically uses which caused them to reach out to our CEO before transferring the several thousand dollars requested. The email address was only off by 2 characters so it was a very sophisticated whaling attempt because it was sent directly to those in finance with the ability to perform the transfer and it was from our CEO. The sophistication of this attack led us to strengthen our spam filtering tool from Mimecast that offers “impersonation protection” down to “2 letter difference” in the from email address. We have also included whaling in our annual staff cybersecurity awareness training that is tailored specifically to our finance and c-suite teams. This may be the most consideration you have given to the topic of Risk Management, because as business owners and managers you face risk every day from competition; an unexpected employee absence; an unhappy customer; or an unreliable vendor.
Integrity IT began offering a more robust Managed Security Services in late 2015 to help shoulder this increasing threat to small businesses across Kentucky. We have grown our expertise and tools and we have continued our training and certifications to keep up with the rapidly changing IT threat landscape. We offer many affordable solutions and the consulting expertise to help you identify and prioritize where to budget your expense.
Integrity IT has the experience and the tools to assist your company to raise its awareness on this emerging threat. We also have sophisticated email spam filtering through Mimecast that has the “Impersonation Protection” that is designed to help prevent these whaling attacks. If you are interested in learning more, contact Integrity IT Security Team at 859-253-4284 x-2206 or security@integrityky.com
Written By Joe Danaher, Vice President and Chief Information Security Officer, Integrity IT 1* http://fortune.com/2015/08/10/ubiquiti-networks-
email-scam-40-million/
2* http://resources.infosecinstitute.com/category/enterprise/
phishing/spear-phishing-and-whaling/whaling-case-study/#gref 3* https://www.scmagazineuk.com/snapchat-got-whaled-
employee-payroll-released/article/530493/
INTEGRITYKY.COM | 859.253.4284
PAGE 3
WH AL I N G : C A T C H I N G T H E B I G P H I S H
CONSULTATION SERVICES
SECURITY CONTROLS
Risk Assessment
Managed IPS/IDS
•
Asset Identification
•
Intrusion Prevention System and Intrusion
•
Threat Identification
•
Detection System
•
Vulnerability Scans: Internal and External
•
Controls Assessment: Physical, Technical, Administrative
Managed SIEM/USM
•
Gap Assessment, Prioritization for Remediation
Business Continuity and Disaster Recovery Planning •
Business Impact Assessment
•
Recovery Point Objective: Backup Strategy
•
Recovery Time Objective
•
Security Information and Event Management System
Vulnerability Scans •
Quarterly and Ad-Hoc Internal and External Scans
•
Reporting
•
Mitigation Recommendations
Phishing Campaign
HIPAA Compliance
•
Periodic Validation of Employee Training
•
Annual SRA Completion
•
Policies and Procedures
Penetration Testing
•
BAA Templates
•
Executive Summary and Technical Report
•
Single or Recurring Engagement
Employee Security Awareness Training
PII PR TECT
•
Speaker Program
•
HIPAA Assurance Web Portal
•
PII-Protect Web Portal (non-HIPAA)
•
Phishing Campaign (PII-Protect or DUO)
VCISO (Virtual Chief Information Security Office) •
Establish your Security Vision
•
Determine and Prioritize Security Initiatives
•
Reduce Risk with Ongoing Security Improvements
Incident Response and Breach Investigations •
Response and Remediation plans
•
Communications and Management
•
Lessons Learned
INTEGRITYKY.COM | 859.253.4284
Encrypted Email •
PII and PHI Requirement
Internet Content Filtering •
Block Malicious Sites
•
Help Control Your Internet Bandwidth Use
Multi-Factor Authentication •
Add a Second Layer Of Security to Strengthen Access to Vital Systems
Custom GPO’s (Group Policy Object) •
Security Focused GPO’s: Account Hardening, Ransomware, Pass the Hash Mitigation
PAGE 4
WH AL I N G : C A T C H I N G T H E B I G P H I S H
“Instead of pulling solutions off the shelf, Integrity tailored our plan to meet our needs without over-doing it. We wanted to be head and shoulders above our competitors, and Integrity created a road map to get us there.” – Heather Taylor, Benefit Insurance Marketing
TRUSTED TECHNOLOGY. STRONGER SECURITY. BETTER BUSINES S.
INTEGRITYKY.COM | 859.253.4284 3080 HARRODSBURG ROAD, SUITE 104 LEXINGTON, KY 40503
PAGE 5