Put yourself in this finance executive’s shoes: Your new CEO emails you to request a $3 million payment for a new international vendor ASAP. It’s a chaotic time at your organization due to the firing of a previous vendor, so it makes sense that the team is looking for new partners. The transaction requires two executive approvals. Your CEO provided the first and you are tasked to provide the second, so you review and execute the transaction immediately.
A few hours later, you see your CEO in person and advise him that the funds were transferred as requested. It turns out he didn’t make the request, and the email was fake. He is shocked and can’t believe you just wired $3 million to an untraceable offshore account.
This was Mattel’s real-life horror story in April 2015, as the Associated Press reported. Although the money was returned, this threat was too close for comfort, and many organizations have not been so lucky. The following three scenarios are the most common ways whaling attacks can infiltrate your enterprise.
1. Clicking on Unsolicited Email or a Malicious Link
While enticing companies to respond to an unsolicited email is a relatively unsophisticated tactic from a technology perspective, it may be the simplest point of entry for the attack. The next step might be to launch malicious software (malware) to run wild on corporate networks. This malware can record characters typed on a keyboard to steal intellectual property or user login credentials, may take screenshots of the user’s screen or steal files. The malware often sends the information to the attacker through the enterprise firewall in ways that mimic normal network traffic, perhaps by using email or file transfer software.
Other malware may be designed to interrupt business operations by wreaking havoc on networks and systems, or even by causing physical damage to laptops, servers and company equipment.
2.Opening a Strange Attachment
In other whaling cases, rather than clicking on a bad link, the victim opens a malicious email attachment that downloads malware onto the victim’s computer. For instance, a recent powerful crypto-ransomware nicknamed “Locky” was initiated through a Microsoft Word macro. When used as intended, macros allow users to program simple repetitive actions. Although macros are disabled in Microsoft Word by default, the user who tries to open a malicious Word document, sometimes disguised as an invoice, is advised that macros must be enabled to display the document. Once enabled, a macro downloads and runs the ransomware program. It then encrypts and prevents access to local files as well as those on the user’s network shared drives.
In this example, Locky demands the Bitcoin equivalent to $2,100 to decrypt and unlock a computer. Adobe Acrobat files and other file types can also potentially launch malware code.
3. Getting Tricked on Social Media
Social engineering is the practice of using information about an individual to craft a specific attack against them, with social media sites being the primary source of information for scammers. No matter how hard platforms fight to control them, fake profiles are prolific. In fact, Facebook admitted to 83 million fake profiles last year. Just as phishing emails are more difficult to identify compared to a few years ago, fake social media profiles are also getting more complex. Attackers go to great lengths to establish the appearance of legitimacy. For instance, Dell SecureWorks recently identified a network of 25 fake LinkedIn profiles that had endorsed and recommended each other and thus earned credibility with hundreds of authentic LinkedIn users.
It is this first malware infection that provides hackers with the information they need to successfully pull off a whaling attack. While ransomware can sometimes provide hackers with hundreds of thousands of small payments, or larger sums in the form of bitcoin, the intention of a whaling attack is to receive a large lump sum of money in a single effort, often reaching the millions.
Complex phishing in the form of whaling is not a new technique, and companies of all sizes should plan for this potential cyber security threat in 2017. For more advice on ways you can protect the executives at your organization, contact us today.