Email Whaling: The Article Every Executive Needs To Read

So you’ve heard of phishing scams – right? These are emails that come from organised criminals claiming to be from a legitimate organisation that you trust. These communications frequently claim to be from a financial institution and attempt to trick you into visiting a fraudulent website to hand over your personal information. Scams such as this are emailed out to thousands and thousands of people, in the hope that enough of them will bite for it to become a profitable activity. This epidemic became known as phishing and was a reliable source of revenue for cyber criminals for many years.

More recently things have changed, and advancements in user education and awareness have lead to a massive decrease in efficiency and effectiveness of phishing attacks. Furthermore, most businesses these days have a reliable anti-spam solution that’s able to weed out these emails from legitimate communications. Naturally, and as a direct result of these mitigations, the cyber criminals went back to the drawing board – and in the process they managed to re-invented phishing entirely.

Between 2010 and 2011, annual returns for mass email-based attacks fell from $1.1 billion to $500 million.

Rather than casting their net wide and targeting a large number of individuals, they switched their focus towards attacking businesses, and did so with very specific and targeted attacks. A new form of phishing had been born, and it quickly became know as ‘whaling’. This is because rather than targeting the ‘small fry’, the cyber criminals began to go after the bigger fish – i.e. your senior company executives, in the hope of gaining much bigger rewards.

Adding to their sophistication these attacks were actually two-pronged in nature. In order to deliver a highly tailored and credible email to somebody within a target organisation – the attackers had to first perform covert reconnaissance in a bid to identify key individuals or targets within the business. Once they had established who the key financial decision makers were, the attackers then sought to identify the key relationships that those individuals had, and used that information to ultimately deceive somebody into processing a fraudulent transaction.

In incidents such as this there’s usually a highly sophisticated blend of both technical and human-based attacks. On one level the criminals are studying and exploiting the trust relationship that exists between two people within the company, but on another there’s a technical element whereby the attacker has access to private communications – and leverages that information to conduct the eventual attack. It’s clear to see that the criminals have been doing their homework.

Traditional anti-spam filters aren’t able to detect and block these attacks, user education and awareness is minimal and the quality of reconnaissance being done on targets is remarkable. Let’s explore the anatomy of one particular attack I was informed about – and examine the way in which technology was mixed with social engineering to deprive Company A of ￡300,000.

The Target

Company A is an SME that operates in the UK within the construction industry. The company has anannual turnover of ￡5,000,000 and a staff of 20 – including two senior co-owners / directors. The company outsourced their IT infrastructure to a Managed Services Provider (MSP) and naturally assumed that this MSP also looked after their security infrastructure. The company had invested in a managed firewall, had complete endpoint protection across their network and had fully patched and up to date systems.

The Attack

In late 2014 Company A became victim of an attack when the company’s finance clerk received an email from one of the company directors. The email was requesting a transfer of ￡300,000 to an offshore bank account to complete the purchase of another business that the company was in the process of acquiring. The email stressed that the company acquisition was confidential and that she wasn’t to share details of the transaction with anybody else. The email also requested that it be processed as soon as possible – to ensure that the sale went through smoothly.

Their insurer had to advise them that they weren’t covered, since they themselves had actually authorised the payment .

The email came from the correct address and contained the correct company formatting – including the director’s signature. The email was written in a style that reflected the real thing – and critically, was not a request that was particularly out of the ordinary. She went ahead and processed the payment and replied to confirm that everything had gone through successfully. It was later discovered that the payment request was fraudulent – leaving the company ￡300,000 in the hole and unable to claim the money back. Their insurer had to advise them that they weren’t covered, since they themselves had actually authorised the payment.

The Execution

Following this attack the company hired a cyber security consultant to go in and determine what had actually happened. While this is one individual case – the methodology used against other companies largely remains the same, with some minor changes to tailor each attack to the individual target. Here’s how this attack played out:-

Reconnaissance

The company was profiled using the internet to determine whether it was a valuable enough target. The attackers were assumed to have used Google searches to learn about the organisation, browsed the latest news and events on their website, determined key employees and their positions using LinkedIn and publicly accessed the annual company accounts to estimate their target’s financial value. Once it was determined to be a valuable enough victim – the attackers moved their offensive to the next stage.

Breaching The Perimeter

Their next step was to identify their person of interest within the organisation – quite frequently (and also in this case) this was the person that was responsible for finance. Once the financial officer was identified – the attackers sent a carefully crafted email containing a malicious payload. These payloads can take different forms such as a URL or a ZIP file attachment – but this one contained amalicious Microsoft Word document with an embedded executable macro. The attachment was disguised as an invoice from a known supplier – and was executed on the target machine.

Intercepting Communications

Once the malicious attachment had executed it connected back to the attacker using a reverse shell – giving them a foothold behind the company firewall. However this access alone was not enough to provide them with the ability to perform bank transfers – since the company’s bank used two-factor authentication. It was at this point that the adversaries began to intercept traffic, monitor email communications and enumerate important relationships within the business to set up their elaborate sting.

The Final Sting

Having monitored the network for a sufficient period of time the cyber crooks decided to register a domain – one that was almost identical to the one belonging to the business. This domain was used to create the fraudulent email, and gave it the appearance of coming from a legitimate source. Replacing letters with numbers is common practice – and makes it difficult to tell a misspelled address apart from the real thing. Additionally, using a legitimate domain as opposed to a forged one (done by spoofing theSMTP MAIL FROM field) ensured that their anti-spam filtering didn’t block the email. Genius!

It’s all over ..

At this stage you have no other defences. The only thing that can save you here is the whit and quick-thinking of an employee that’s educated about the risks associated with these attacks. Incidents such as this are becoming extremely common and we’re incredibly ill-prepared to deal with them. We can implement all of the technical controls in the world (firewalls, anti-virus, spam filtering, etc ..) however if we aren’t educating our staff about the risks that these threats present we’re wasting both our time & money.

Lessons Learned

As ever – all is certainly not lost. The interesting thing about these campaigns is the way that they blend technical attacks with social engineering to create a powerful hybrid. It’s more much difficult to patch the human brain than it will ever be to patch a computer system. The only way that we can defend against those threats is by educating our employees through inductions and training- with mandatory reviews every 12 months.

Have policies in place whereby transactions have to be authorised in person or over the phone – with no exceptions. The reality is that your staff are going to be out there every day on the front line dealing with these kinds of threats. Do your part and equip them with the skills that they need – so that they can help themselves to help you to defend your business.

What do you think about the evolution of phishing and modern whaling attacks?

Leave your questions and comments below!

About The Author

Mike Carthy is an entrepreneur and cyber security specialist. He runs a successful business providing cyber security training to some of the world's largest companies, and dedicates his time to helping businesses to understand and tackle cyber threats. He's been featured in publications such as Laptop Magazine, The International Business Times and Computer Weekly.

Follow me on Twitter: @MichaelCarthy

Check out my blog: www.mikecarthy.com