CEO Phishing: Hackers Target High-Value Data

Humans like to click on links. Some of us are better at resisting the urge, some worse. In any case, you’d also expect that people in the higher reaches of...
Michael Buckbee
2 min read
Last updated October 14, 2022

Humans like to click on links. Some of us are better at resisting the urge, some worse. In any case, you’d also expect that people in the higher reaches of an organization — upper-level executives and the C-suite — would be very good at resisting phish bait.

Harpooning the whale

Alas, even the big phish like to chomp on the right links.

We now have even more evidence that cyber thieves are getting better at fine tuning their attacks against high-value targets — known as “whale phishing”.

Get the Free Pentesting Active
Directory Environments e-book

The security firm Digitalis tells us that attackers are using social media to research executive habits–say an interest in cricket — to then forge an email (embedded with a malware payload)  from a business associate — also discovered through social media — mentioning the cricket match.

This is business-class phishing!

The attraction of the corporate whale is that they are likely to have incredibly valuable information on their laptops. Not the commodity PII that are involved in most data breaches, but intellectual property and other sensitive data – deals in progress, key customers, confidential financial data, or embarrassing emails.

It’s the kind of information that could be sold to competitors or, better yet, doxed unless a ransom is paid.

We’ve long known that phishing attacks that are based on better research are very effective. The more the attacker knows about you, the more likely you are to trust the sender.

Which would you click on: an email sent by a Nigerian finance minister regarding unclaimed funds, or an email from your bank — from your local branch — saying there’s been an adjustment to your balance, and you’ll need to look at the attached PDF?  Enough said.

Executive privacy

Digitalis also found that executives, like the rest of us, are not very good about their privacy setting on Facebook and other social networking sites. They found that less than half of those surveyed restrict who can see their profile. And only 36% keep up with their social settings.

Should executives simply forgo social media?

I’ve heard experts say if C-levels and other execs don’t set up their own account, the hackers will do the work for them by establishing a forged identity and squatting on their property.  This can then lead to very sophisticated phishing.

My advice: as an executive, you should take charge of your social persona. This leads to one of the points of the Digitalis Research: executives (and the rest of us as well) should never reveal more than they have to in these social networks.

As in the file system world, always change from the default “everyone” setting, and restrict information to just friends.

And since social networking companies — well at least one — have had a bad habit of tweaking these settings, you should, as Digitalis suggests, periodically revisit your account.

Concierge security?

Security pros have pointed out that social networks, by design, will always share some information by default, and this typically includes who your friends are.

Even with very restrictive settings, a smart attacker can still use this friend information to make very good guesses about the habits, interests, and preferences of the target account—say, the CFO of the company.

Welcome to our world!

There are no easy answers here when it comes to protecting executives from attacks. It’s essentially the problem organizations face with hackers in general: they will get in!

The more important point is to monitor and detect for unusual system and file events to reduce the risks.

In a past blog post, I’ve said its worth devoting IT security resources to monitoring the computer activities of corporate VIPs. With this latest research, I’ll double down on that position.

And if the company is large enough, this could include dedicated staff — perhaps a security concierge service.

In any case, it does make sense to take any alarms and notifications involving the computer accounts of C-levels very seriously. Don’t view them as likely false positives.

It’s worth tracking them all down until they’re resolved.

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

1

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

2

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

3

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

active-directory-domain-controller-(ad-dc)-could-not-be-contacted-[solved]
Active Directory Domain Controller (AD DC) Could Not Be Contacted [SOLVED]
Sometimes clients report an error “An Active Directory Domain Controller (AD DC) for the domain could not be contacted.” Read on to learn how to troubleshoot and resolve this issue.
5-fsmo-roles-in-active-directory
5 FSMO Roles in Active Directory
FSMO roles give you confidence that your domain will be able to perform the primary functions of authenticating users and permissions. Learn more today. 
exchange-vulnerability:-how-to-detect-domain-admin-privilege-escalation
Exchange Vulnerability: How to Detect Domain Admin Privilege Escalation
Researchers recently uncovered a vulnerability in Exchange that allows any domain user to obtain Domain admin privileges that allow them to compromise AD and connected hosts. Here’s how the attack...
risks-of-renaming-your-domain-in-active-directory
Risks of Renaming Your Domain in Active Directory
As a sysadmin, there might be moments where you’ll find the need to change, merge, or rename your domain. Hopefully you name your domain well the first time, but there…