[BreachExchange] Bigger phish – Everything you need to know about whaling

Audrey McNeil audrey at riskbasedsecurity.com
Tue Jan 10 19:34:38 EST 2017


http://www.itproportal.com/features/bigger-phish-
everything-you-need-to-know-about-whaling/

2016 saw bigger, more frequent and more high-profile hacks than any year
before it. Whispered rumours of hacking during the US election linger on,
Yahoo finally admitted to two colossal data breaches with billions of
records leaked, and the internet of things offered new opportunities to
attackers, as tech users take advantage of a range of connected devices
without perhaps the same regard we have for the security within our PCs,
phones and laptops.

Realistically though, 2016 is only the tip of the security iceberg with the
threat landscape continuing to develop and grow. Attacks on SMEs are on the
increase, as smaller firms are repeatedly targeted with ransomware attacks
and ever-more sophisticated phishing scams.

We’ve all had an email from a benevolent Nigerian millionaire asking for
our bank details and shown our friends for a quick laugh, before consigning
it to the trash. But could you so easily identify a hoax email built by a
team of professionals, who have information about which services you use,
what your colleagues’ names are and what business you are engaged in?

The development of these more targeted attacks is a feature of the spear
phishing landscape in recent times. Malicious emails used to be far less
sophisticated, with basic looking templates and spelling mistakes. Now they
are branded with company logos and a forged email address. Attackers tailor
the communications for their victim using information they know about your
business. The more plausible and personalised the attack, of course, the
higher the success rate.

Stolen identities

More than 80,000 successful phishing attacks occur every day worldwide.
That’s more than 80,000 people who click the link and are netted by the
baited website.  The stolen details result in stolen identities, financial
loss, credit card fraud and other internet scams. It’s essential, now more
than ever, for companies to put cyber-security at the top of their agenda.

The fallout from an attack like this can be massive so it’s extremely
important for C-level employees to sit up and listen. The FBI recently lost
20,000 records from someone calling the helpdesk and pretending to be a new
employee. If it can happen to them, it can happen to anyone.

Whilst the general internet user is becoming more savvy and switched on to
the generic spoofed emails of phishing scams, phishing is evolving. One
such evolution rising to prominence in the last 12 months, and continuing
to gather pace, is whaling. This new form of spear phishing scam sees
high-net-worth individuals hoodwinked into authorising online payments to
cyber scammers posing as employees or legitimate suppliers.

Whaling is a notable development compared to other spear-phishing attacks
because of the incredible sums of money involved. Cases of this online
‘confidence trick’ are on the rise, with huge sums at stake – one MD
approved a £30m payment in a single incident.

Pretexting and baiting

Targeted spear-phishing attacks use methods like pretexting and baiting –
creating fabricated scenarios and offering free products to build up a fake
sense of trust, before stealing sensitive information.

In whaling attacks, frontline workers are often targeted to gain access to
bosses’ credentials and information, helping attackers build a credible
method of approach to their target.  Posted as urgent and looking
legitimate, employees are being duped by the ‘whaling’ techniques,
resulting in CFOs and CEOs making massive payments into accounts not run by
their company.

These attacks are not going to stop, so it’s your responsibility to be
prepared. Rather than just telling your team what to look out for, you
actually need to test them. There are three steps you need to take: tell
your team, test your team, and then invest in more technology.

Would you know how to examine a link to check that it is taking you to a
secure place rather than a forged website? It’s becoming a regular
occurrence to receive these links in emails but more education is needed to
reduce exposure.

If you are going to invest in tech you should look at a secure email
system. You will see this implemented in security-aware companies. The cost
isn’t high, and if you look at the potential cost of an attack then the
peace of mind provided by being safer is priceless.

One group benefiting from the increased success of phishing and digital
confidence tricks is ransomware attackers. More sophisticated phishing
scams are among the factors behind the explosion of ransomware globally in
the last 12 months. Again, human error is the easiest vulnerability for
attackers to exploit, so prepare yourself and your employees or colleagues.

Of course, the spike in attacks has also been driven by the emergence of
the Dark Web and cryptocurrencies like Bitcoin. In Q1 of 2016 there were
4,000 attacks a day in the US, whereas a year earlier that number was just
1,000. The average ransom demand is also on the rise, increasing 135% in
the six months to June 2016.


Big news

Once infected by ransomware, there is absolutely nothing a victim can do
beyond paying the ransom to the attackers. Of course, they may be saved
from disaster if they have a regular and comprehensive backup regime,
allowing them to restore their files from backup systems at the point just
before the ransomware struck.

Hacks make big news, daily, and the risks are growing at an alarming rate.
At UKFast we look after the online infrastructure of nearly 6000 businesses
and we are seeing this kind of confidence trick occurring with astonishing
regularity. It’s only a matter of time before a large business is brought
down by one of these attacks. Now is the time for firms to knuckle down and
strengthen their cyber security defences, before it’s too late.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170110/6b861d44/attachment.html>


More information about the BreachExchange mailing list