Spear-Phishing and Whaling
Phishing is one the oldest cyber security scams. It is often perpetrated via emails, and it is an attempt to deceive users in some way. Hackers can trick their targets into opening an attachment containing malicious code or into visiting a spoof webpage where they enter their personal data, or into simply sending information to the sender. This fairly simple scam has gotten much more sophisticated in recent years. Phishers, in fact, have become more resourceful and with access to more information on their victims via corporate websites and social networks, they are able to effectively personalize messages and websites or install malware to target specific victims.
Motives for phishing vary from simply attempting to hijack computers and infecting them to attacking entire networks or trying to obtain PII and protected information to be used for illegal purposes. There could be political, economic, business or personal reasons but, in any case, the impact of phishing can be devastating for any company. It has been calculated that the cost per spear phishing episode, in fact, can exceed even a million dollars as reported by a Vanson Bourne’s report sponsored by Cloudmark.
Phishing scams can have social ramifications and can cause economic damage to affected businesses also in terms of compromising the brand reputation. Revenues, especially, can be affected as in the case of the Carbanak attack that concerned hundreds of banks. Carbanak is an APT (Advanced Persistent Threat) that can infiltrate a network often through phishing e-mails and has already affected victims around the world from Europe to Asia to South America. In February 2015, a Carbanak attack affected hundreds of financial institutions in 30 countries and caused millions of dollars to be stolen. At the Security Analyst Summit (SAS 2016), Kaspersky Lab (GReAT) reported that gangs are still, today, engaged in similar APT-style bank robberies.
Phishing and Its Evolution, Spear Phishing
According to the Proofpoint Human Factor 2016 report, although social engineering techniques have been used for decades, they are still the most used attack technique. Proofpoint, in fact, found that “2015 was a year in which attackers embraced the view that ‘people make the best exploits,’ pivoting quickly and effectively to focus on techniques that put people at the center of the infection chain.” Users are more and more at the center of malicious campaigns; the report effectively shows how 99.7 percent of attachments and 98 percent of malicious URL email campaigns required human interaction in order to infect the target. “From high-volume email campaigns to targeted attacks, and from email to mobile apps, attackers built social engineering into their lures and their vectors to exploit the people’s willingness to click and open an attachment, run someone else’s code, download an app, or hand over their credentials.”
Early phishing started with mass mailings looking for victims. This type of attack was easy, cheap and normally produced good results as out of hundreds of e-mails even just a few clicks could provide attackers with the information or entry points they needed. Phishing schemes targeting various individuals and companies were carried out by perpetrators who designed e-mails and websites as a way to lure company employees or consumers in general to volunteer information or, in certain cases, hand over credentials and even money. So how do phishers hook victims? How is this simple social engineering scam evolving? Why does phishing work?
Phishers will send spam email to many people, often simultaneously; they craft mass e-mail messages masquerading as a trustworthy entity and hope to lure some users into releasing the information they need. They can request, for example, that usernames and passwords are released or entered in specially-created websites used for fraudulent purposes; in this way, they can easily acquire financial details (a credit card number and verification number for example) with intent to commit fraud. By now, most Internet users have heard about the term phishing and are familiar with this type of scam perpetrated by criminals looking to obtain user credentials, sensitive information, or access into systems and mobile devices. However, the reason phishing problems persist is that they exploit human weaknesses; victims might quickly scan through e-mails and might comply mindlessly with a request that seems to come from their bank or is related to their social network, PayPal, eBay, or Amazon account. Users might also be lured by promises of wins and lottery prizes. Nowadays, however, users are becoming savvier and more prepared to recognize mass phishing scams; phishers then have started to put more work into the crafting of their baits and in their profiling and targeting.
Spear phishing is a type of targeted phishing that is used to increase the hackers’ chance of success; it is more effective than untargeted, mass spam as it is carefully tailored around the intended target. This kind of attack is much more sinister and a much greater threat than phishing, as it zeroes in on a specific individual, organization or business. Scammers first harvest enough information using company websites, social networks or observation to understand in detail the world in which the intended victims move and their exact role within a company; then, they can craft the bait to reel in their prey, and the target will have fewer chances to recognize the attack. Baits are said to be always appropriate, relevant and believable.
Today, spear phishing is one of the most common cyber-attacks targeting both individuals and companies alike. The Vanson Bourne’s study sponsored by Cloudmark involved contacting 300 firms in the US and UK and found that 38% of all the cyber attacks they faced in 2015 came from spear phishing; 83% of them had a spear phishing attack penetrate their security defenses. In addition, a hefty 73 percent of respondents believed that spear-phishing posed a significant threat to their organizations while 32 percent suffered a financial loss as a result of an attack. Furthermore, 15 percent of surveyed companies indicated they even suffered a decrease in stock price after a spear phishing attack!
Phishing incidents were once easy to spot, but have, in time, become more difficult to recognize. New phishing baits are highly advanced and crafted for specific groups or categories of users. The Vanson Bourne’s study shows how the targets were picked very strategically in relation to their position in the company – IT staff (44%) and finance staff (43%) were found to be the primary targets. Respondents also noted that phishers aimed high – 27% of respondents said their CEOs had been targeted, and 17% reported attacks on their CFO. Managers and executives of companies are becoming preferred targets for scammers. Top business officials make an attractive prey to exploit and, over the past two years, they have been one of the favorite victims, even indirectly.
A more specific form of spear phishing, in fact, is whaling, any phishing attacks on executives and high-profile targets. In other words, whaling is spear-phishing targeted at C-Suite executives—i.e., the chief executive officer (CEO), chief operations officer (COO), and chief financial officer (CFO)—or any another high level person in senior management within an organization such as the VP-level director or corporate president. Whaling phishers are trying to catch ‘the whales’ of the targeted organization.
In a summer 2015 incident, for example, a major phishing scam targeted the accountant for a U.S. company but was perpetrated through a Business Email Compromise or BEC scam. The accountant received an e-mail from her chief executive, on vacation out of the country, requesting an urgent transfer of funds needed to complete an important and time-sensitive acquisition. It was not a strange request, as this type of e-mail was usually received by the accountant. A letter of authorization with her CEO’s signature over the company’s seal was provided, and she had no reasons to believe foul play. More than $700,000 was wired to a bank in China. Only after the scam was exposed did the accountant review the e-mails and documents she had received and found signs of malfeasance. The e-mail received from the CEO was missing one letter (it read .co instead of .com), the CEO’s signature was forged, and the seal was a simple cut and paste from the company’s public website. Perpetrators had simply gathered all needed data on the CEO and other employees from the web and had gained enough knowledge of the company to know what the executives were working on and where.
The Anti-Phishing Working Group (APWG) recent trends report shows that the number of businesses that have been vulnerable to BEC scams is increasing and has become a major problem starting in 2015. “Business Email Compromise (BEC) scams were a scourge to many businesses in 2015, with the FBI reporting a 270% increase in reported global losses from January to August 2015. Carl Leonard, Principal Security Analyst at APWG explains how “the attacks use a form of spear-phishing, and initial attacks sent the spear-phishing emails from free domain names that closely resembled the victim company’s domain name.” These attacks are not targeting just larger companies and particular industries but they have been making victims across the board. APWG Senior Research Fellow Greg Aaron, in fact, notes that “all types of companies are vulnerable to BEC scams. It’s not just large companies – I’ve seen companies with under eight employees being targeted.”
As per Mimecast’s new security advisory report, there is an increase in the prevalence of whaling attacks on enterprises in 2015, a trend that is expected to continue this year. “Most whaling attacks pretend to be the CEO (72%), while 35% had seen whaling emails attributed to the CFO.” There are specific reasons why these attacks are extremely effective. First of all, C-Suite executives have highly-demanding jobs that oblige them to process much information in little time. Recognizing perfectly-crafted phishing attempts require instead much care, verification and double checking of information. Whaling e-mails are particularly professional, discuss sensitive matters highly-regarded by executives and normally convey a sense of urgency. In addition, information about such executives is normally widely available on the internet and makes the phishers’ jobs surprisingly much easier than targeting other employees within an organization. CEOs and other managers are the direct target of requests or they become the involuntary “actor” of phishing as hackers impersonate them in their dealings with other employees.
The largest threat to an organization – Defenses and Solutions
While harpooning executives (whaling) is a real threat within an organization and directed at high-profile targets, spear-phishing remains a top concern for businesses. This scam technique has been responsible for the largest cyberattacks in recent history, including those involving JPMorgan Chase & Co. (Banking), eBay (eCommerce), Target (Retail), Ubiquiti Networks (Technology), Anthem (Health Care), Sony Pictures Entertainment (Entertainment) and various departments within the U.S. government, like the Office of Personnel Management (OPM), White House, State Department, the Pentagon and the Joint Chiefs of Staff (JCS). These real-life spear phishing examples show how any industry can be targeted.
The latest of phishing schemes has been linked to federal income tax returns. In fact, since January of this year, over 50 companies have been victimized by W-2 Spear Phishing Attacks that led to tax fraud and identity theft. Attackers harvested W-2 information (i.e., the employees’ wage and tax statements for 2015) and were successful on numerous accounts. The fraudsters were even able to steal their target’s refunds.
There are actions that organizations can take in order to defend themselves. The first are technical and include adopting solutions that block most threats coming through e-mails. As mentioned in the “human factor” report by Proofpoint, “solutions must take into account the increasing sophistication of emerging threats and socially engineered attacks.” It is important to install all available security updates that can help eliminate known vulnerabilities and improve incident response with automated tools that can identify infections and block command- and-control (C2) communication of systems. Many email networks have used DMARC to protect their users from spam and prevent email-based abuse incorporating one of the message authentication protocols (SPF, DKIM or ADSP) that is aligned with set policy to ensure signature integrity, detect genuine emails and spot fake messages to be rejected.
However, even after a decade of perfecting, anti-phishing technologies (the most commonly used tools include anti-spam and anti-virus software solutions, content and URL filtering and file sandboxing and installed secure web gateways) are only able to mitigate the problem; not a single solution has yet to completely deter phishing attacks getting through defenses or has been able to get rid of spoofed emails and websites. More needs to be done. Policies, for example, are important within an organization. Improving internal financial controls can help prevent some scams including wire transfer frauds. Social media activity can also be regulated and monitored. Although people have come to rely on technical counter-measures for phishing attacks to guard against this type of high-tech scam, these defense mechanisms are not foolproof; InfoSec education is equally if not more important. User education is key to know about the latest phishing scams and to become aware of the phishing techniques.
In creating a security culture, people are the best defenses and can become valuable defenders of an organization’s information assets, says Lance Spitzner Director at SANS: “people, not technology, are becoming the key to securing organizations today.” It’s best not to solely rely on technology-based solutions, but also to give employees the knowledge to defend their systems. Most organizations have developed employee-awareness training to educate them about the tactics of phishers and the dangers of social engineering. Eyal Benishti, the Founder & CEO at IronScales, believes in the need to “increase awareness through an ongoing training and simulation programs with staged, real-world whaling emails and user-specific campaigns tailored to managers’ digital footprints.” The Phish.io, for example, is a free phishing simulator that sends simulated phishing emails; it is a valuable investment in effective training for all employees in an organization.
Although users are getting savvier and are more educated on the risks of social engineering, as Kevin Epstein, vice president of Threat Operations for Proofpoint mentioned, attackers, in 2015 more than ever, are concentrating on human exploitation rather than on technical exploits. “People’s natural curiosity and gullibility is now targeted at an unprecedented scale. Attackers largely did not rely on sophisticated, expensive technical exploits. They ran simple, high-volume campaigns that hinged on social engineering. People were used as unwitting pawns to infect themselves with malware, hand over key credentials, and fraudulently wire money on the attackers’ behalf.”
Whether the attacks are aimed at many corporate employees (mass-phishing) in an organization, targeted at a high-ranking employee (spear-phishing), or intended to harpoon top-level executives or upper management in powerful positions (whaling) into divulging confidential company information, delivering the right training to the intended audience (like phishing exercises via automated PhishSim campaigns targeted at specific roles—available on Infosec IQ ) can be the best line of defense to prevent attacks from succeeding.
Anti-Phishing Working Group. (2015, December 23). Phishing Activity Trends Report, 1st – 3rd Quarters 2015. Retrieved from https://docs.apwg.org/reports/apwg_trends_report_q1-q3_2015.pdf
Benishti, E. (2016, January 19). Whaling: Cybercriminals are now after the Big Phish. Retrieved from http://ironscales.com/whaling-cybercriminals-are-now-after-the-big-phish/
Brownlee, L. (2015, October 7). Simulated Phishing Attacks Yield 37 Percent Return On Investment. Retrieved from http://www.forbes.com/sites/lisabrownlee/2015/10/07/security-simulated-phishing-attacks-yield-37-percent-return-on-investment/#2c47fa962642
GReAT. (2016, February 8). APT-style bank robberies increase with Metel, GCMAN and Carbanak 2.0 attacks. Retrieved from https://securelist.com/blog/research/73638/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/
Metzger, M. (2016, January 14). Spear-phishing increasingly large concern for IT professionals. Retrieved from http://www.scmagazineuk.com/spear-phishing-increasingly-large-concern-for-it-professionals/article/465093/
Mimecast. (2015, December 23). EMAIL SECURITY ADVISORY – Mimecast Warns of Heightened Whaling Threat. Retrieved from https://www.mimecast.com/globalassets/documents/analyst-reports/security_advisories.pdf
Plesco, R. & van Drunen, G. (2015, May 21). Mitigating the Risk of Wire Fraud. Retrieved from http://www.treasuryandrisk.com/2015/05/21/mitigating-the-risk-of-wire-fraud
Proofpoint Inc. (2016). The Human Factor 2016 – Research Report. Retrieved from https://www.proofpoint.com/sites/default/files/human-factor-report-2016.pdf
Runald, P. (2012, October 9). What is Scaring Businesses the Most? Spear-phishing. New Websense Security Labs Research. Retrieved from https://community.websense.com/blogs/websense-insights/archive/2012/10/09/what-is-scaring-businesses-the-most-spear-phishing.aspx
SecurityWeek News. (2016, February 23). Cybercriminals View People as the Best Exploit: Report. Retrieved from http://www.securityweek.com/cybercriminals-view-people-best-exploit-report
SecurityWeek News. (2016, March 1). Snapchat Employee Falls for Phishing Attack. Retrieved from http://www.securityweek.com/snapchat-employee-falls-phishing-attack
Vanson Bourne. (n.d.). Cloudmark Puts Spear-Phishing in Its Cross Hairs. Retrieved from http://www.vansonbourne.com/news/news-recent/january-2016/cloudmark-puts-spear-phishing-its-cross-hairs/