7 September 2015

SMX issues security alert on spear phishing and whaling attacks

SMX has issued a security alert to its customers and partners following increasing incidents of highly-sophisticated targeted email fraud (aka ‘spear phishing’) and ‘whaling’ attacks.

SMX’s co-founder and chief technology officer Thom Hooker says spear phishing describes a process of email fraud where individuals are targeted within an organisation and attacked with a combination of social engineering and email spoofing techniques to elicit funds. Whaling is where the same techniques are targeted at key senior executives, such as chief financial officers.

He says SMX has seen live attacks unfold in real-time where, once they have a 'whale' hooked, attackers purchase brand new domains similar to their intended victims in order to trick companies into transferring cash overseas. Attackers are even following up with telephone calls prior to, as well as during, these attacks to further embellish the hoax.

In a blog on the SMX website Hooker describes a real life example of a whaling attack on a large SMX customer. The CFO of this company received an email purporting to be from his CEO instructing the transfer USD$192,000 to an international bank account. The email appeared completely legitimate, with the sender's email address displayed in the CFO’s mail client looking 100% correct. The incoming email contained no malware or links to malicious sites that would trigger the multiple security filters in place.

After the CFO responded, or was 'on the hook' to continue the phishing analogy, the phishing gang registered a new .com domain name similar to the company's real domain and continued the email conversation from this new domain. That is, the phishing gang waited until they had a whale on the line before they spent any money on embellishing their scam.

This is a really important point, Hooker says, because it demonstrates that these individuals aren't just playing a numbers game and casting their net wide; they are identifying and targeting companies and senior individuals within those companies and then refining their proposition based on responses from their targets. 

“If the CFO involved in this scam hadn't had the presence of mind to query the reason for the request, which ultimately led to this scam unravelling, this company would have lost a significant amount of money,” Hooker says. “This story isn't uncommon internationally but is relatively rare in New Zealand. It highlights the importance of security awareness training for potential whaling and spear phishing targets.”

In the security alert sent to customers and partners SMX recommends three key steps all companies and organisations should take:

  1. Identify potential whaling or spear phishing targets within the organisation – these roles should include finance, management and IT security
  2. Conduct security awareness training for all identified roles – this training should include an awareness of these types of attacks and familiarisation with the organisation’s security policies
  3. Create and publish robust internal procedures for handling and identifying security incidents, responding to external queries requesting information on senior company executives, and so on.

Depending on the industry, SMX advises that companies and organisations may need to conduct training across a wider range of roles within the organisation.

The SMX security alert includes a link for full information on security awareness training published by the US National Institute of Standards and Training (NIST): http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf

Thom Hooker warns that the sophistication and persistence of these attacks outside of the email flow means companies should not rely solely on computer security and algorithms to protect them. Potential whaling targets need to be aware that criminals are undertaking sophisticated attacks right now and to protect themselves appropriately.