Phishing, Whaling and BEC – Don’t Get Harpooned

BEC or Business Email Compromise has been around for a while. We are all probably used to the term phishing or spearphising. A quick refresher for those who have forgotten or are familiar with the term without really looking into what it is:

– Phishing (or spearphishing) is a mechanism employed by hackers or cyber crooks designed to have their victims provide sensitive information – usernames, passwords, and credit card details – or to click through to bogus links to trigger malware installation.

– They do this by masquerading as a trustworthy entity in an email, hence the word phishing – a play on the word “fishing” due to the attempt to use bait (in the form of a legitimate looking email communication from a trusted source) to catch a victim.

– These phishing emails purport to be from popular social web sites, auction sites, banks, utilities, online payment processors or IT administrators and may contain links to websites that are infected with malware or try to lure the recipient to a fake website whose look and feel are almost identical to the legitimate one. Once there they are prompted to fill out forms with sensitive information that the hacker sells or uses for their financial benefit at the expense of the phishing victim
So that’s phishing….now meet it’s big brother – whaling. So called because it invokes the name and assumed authority of the “big fish” in an organisation.
What is Whaling?

It’s a social engineering scam that utilises technology but seeks to exploit our “humanness” and relationships between employees. Typically a whaling attack involves a hacker masquerading as a senior executive asking an employee to transfer money – a typical example involves someone pretending to be CEO or CFO who emails an employee in the finance department to initiate some form of financial transaction.

What? How? A few simple steps the hackers can take:

Step 1: The whaling fraudsters set up a fake domain name that appears very similar to the legitimate domain name.

Example: the legitimate company is, say, www.phillipselectrics.com.au, so the whaler secures and sets up a domain www.philllipselectrics.com.au. (Looks almost the same doesn’t it? Just an extra “l”)

Step 2: They then use social media and publicly available information to find the names of the key people in the organisation to target the victim and the fake they’ll use to attempt the fraud. They also use the web to find the standard email structure the company uses, such as firstname.lastname@company.com etc.

Example: they learn that Todd Harris is the CEO and Bill James is the Accountant, so they create an email account in the bogus domain they previously set up – todd.harris@ philllipselectrics.com.au

Step 3: They now trigger the whaling fraud. Using the bogus CEO email address they send a note to the legitimate email address of the Accountant issuing an instruction such as moving money from a corporate account to an account the fraudster has set up.

Because these are potentially large and lucrative frauds (In the US, the FBI has estimated that such scams have cost companies more than $2.3 billion in losses over the past three years) the perpetrators spend time getting the details as accurate as they can. The proliferation of social media and information on individuals – where they work, with whom they interact socially and professionally, what conferences they attend, when and where they holiday – has enabled hackers to determine not only which individuals at companies to target, they also have all the current contextual information to add the patina of genuineness to the communication the fraudsters create and send.

Here at FooForce, we have seen instances where the “whale” is not the CEO or senior executive but rather is a fraudster masquerading as a client issuing an instruction to transfer funds from their account – this is an especially relevant threat for financial services and investment management companies.

Attacks like these are almost impossible to pick up with basic spam-filtering technologies but there are things you can do. And as always, it comes down to awareness and some simple process and human actions:

1. On anything that requests a material financial transaction, do a close check of the email header and the sender email address detail;

2. If a request seems at all odd or out of normal policy or process, pick up the phone and check with the sender; and

3. In general, always be suspicious of unsolicited email. Never click through links in an email message from someone you don’t know – unless you initiated the email exchange. And you should exercise some healthy wariness when an email message sender knows too much about you or the email is unusually “familiar”.

Kevin Morgan is a Director at FooForce, a long established Sydney based IT Services and Consulting firm specialising in delivering services and solution to the SME market across Australia and internationally. FooForce are one of a relatively few ISACA accredited providers of formal globally recognised Cyber Risk Review and IS Audit and Risk Assessment services.