4 September 2015 - by Thom Hooker

Spear phishing and whaling attacks on the rise!

SMX CTO and co-founder, Thom HookerFurther to our recent security alert as follows: 

SMX would like to alert organisations to an increase in targeted email (AKA spear phishing) attacks currently underway against New Zealand companies and organisations. We would also like to warn that attackers are also undertaking sophisticated whaling attacks, researching and identifying 'big fish' within an organisation. These individuals are then attacked with a combination of social engineering and email spoofing techniques in order to elicit funds.

To illustrate how these attacks can unfold I'd like to describe a real life example which happened earlier this week. The CFO at a large customer of ours was instructed by email, from what appeared to be the CEO of the company, to transfer USD$192,000 to an international bank account. The CFO was deceived by an email that looked completely legitimate, with the sender's email address displayed in the CFO’s mail client looking 100% correct and the incoming email contained no malware or links to malicious sites that would trigger the multiple security filters in place.

What was interesting in this particular example was that after the CFO responded, or was 'on the hook' to continue the phishing analogy, the phishing gang registered a new .com domain name similar to the company's real domain and continued the email conversation from this new domain. That is, the crooks waited until they had a whale on the line before they spent any money on embellishing their scam. This is a really important point because it demonstrates that these individuals aren't just playing a numbers game and casting their net wide; they are identifying and targeting companies and senior individuals within those companies and then refining their proposition based on responses from their targets.  

If the CFO involved in this scam hadn't had the presence of mind to query the reason for the request, which ultimately led to this scam unravelling, this company would have lost a significant amount of money. This story isn't uncommon internationally but is relatively rare in New Zealand, however it does highlight the importance of security awareness training for potential whaling and spear phishing targets.

According to NIST:

"…it is generally understood by the IT security professional community that people are one of the weakest links in attempts to secure systems and networks. The “people factor” – not technology – is key to providing an adequate and appropriate level of security. If people are the key, but are also a weak link, more and better attention must be paid to this “asset.” A robust and enterprise wide awareness and training program is paramount to ensuring that people understand their IT security responsibilities, organizational policies, and how to properly use and protect the IT resources entrusted to them."

As the example illustrates, people are a vulnerable link in any security process. As such, SMX is advising customers to carry out security awareness training for all appropriate staff. 

Security awareness training should include:

  1. Identifying potential whaling or spear phishing targets within your organisation – these roles should include finance, management and IT security 
  2. Conducting security awareness training for all identified roles – this training should include an awareness of these types of attacks and familiarisation with your organisation’s security policies
  3. Creating and publishing robust internal procedures for handling and identifying security incidents, responding to external queries requesting information on senior company executives etc.

Depending on the industry, you may need to conduct training across a wider range of roles within your organisation. All companies and organisations should conduct some security awareness training for their affected staff. Ensuring robust processes are in place when, for example, transferring funds and that affected staff are aware of these procedures would be a minimum to help protect against these types of attacks. Security awareness training should also enable staff to know how to handle external requests for information relating to senior executives.

SMX continuously works with our vendors and customers to monitor and improve email security, however the sophistication and persistence of these attacks outside of the email flow means companies shouldn't rely solely on computer security and algorithms to protect them. Potential whaling targets need to be aware that criminals are undertaking sophisticated attacks right now and to protect themselves appropriately.

More information

If you have any concerns about a potential whaling or phishing attack please contact the SMX helpdesk via email  or phone 0800 769769, select option 1.