This month’s article from our newest columnist, attorney Tim Pastore (Legal Brief) really struck me…CEO/executive impersonation seems as real a threat to both a security business’s customers as well as to the service provider itself as ransomware or any other cyber vulnerability – perhaps even more so.
It turns out, there’s a word for the type of email fraud scheme Mr. Pastore describes: Whaling.
Where does the term come from? The likely answer is that it is just a bigger and better form of “phishing” – but personally, I like to think the term spawned from the casino/gaming lexicon. As you walk around the casino you are staying at for GSX, if you spot a whale, you are seeing a high-roller gambler – someone with a lot of money to lose.
While the etymology is debatable, either one fits – because as Mr. Pastore writes in Legal Brief, a single well-crafted and disguised email can make for a multi-million-dollar score for a criminal and a potentially crippling blow to a business. Phishing for Joe the Plumber’s credit card number is for amateurs; whaling is now the preferred attack vector of today’s enterprising cyber thieves.
Kaspersky Labs defines a whaling attack as “a method used by cybercriminals to masquerade as a senior player at an organization and directly target senior or other important individuals at an organization, with the aim of stealing money or sensitive information or gaining access to their computer systems for criminal purposes. Also known as CEO fraud, whaling is similar to phishing in that it uses methods such as email and website spoofing to trick a target into performing specific actions, such as revealing sensitive data or transferring money.”
Frequent SD&I contributor Rob Simopoulos of cybersecurity firm Defendify (formerly Launch Security), recently wrote in his blog: “If an attacker can fool a so-called ‘whale,’ they could get to the top tier of information: financial data, employee information, intellectual property, business plans and more.”
He adds that “business owners and executives are obviously tempting prey: They often have high-level access to financial accounts and sensitive business data; and they have the authority to make things happen quickly inside the business, typically a key appeal for cybercriminals.”
Case in Point: It’s Not a Kid’s Game
One of the more famous whaling attacks happened to toy maker Mattel in 2015. It cost the company $3 million. There have been many more attacks since (and much more profitable ones for thieves), but the high-profile nature of the attack prompted the InfoSec Institute to write a detailed case study on the particulars of the case:
The cybercriminals behind this attack have been hiding in Mattel’s computer networks to diligently study the corporation’s internal procedures, protocols, corporate hierarchy, supplier information, employee personalities, etc…They waited for the perfect moment, which came when Mattel appointed a new CEO, Christopher Sinclair, in Jan. 2015.
The cybercriminals selected a high-level executive as the recipient of this delicate whaling email, using the identity of Christopher Sinclair, and asked the recipient for a joint approval of a $3 million payment to a Chinese supplier of Mattel. According to Mattel’s internal money transfer protocol, such a payment would require authorization from two high-level managers. The recipient qualified, and as the request had come from the new CEO, which signified the other authorization, she did not hesitate and pressed the transfer button.
Visit https://resources.infosecinstitute.com and search for “Mattel” to read the full, blow-by-blow report and analysis. You may be surprised to learn how vulnerable Mattel was, and how vulnerable your company or customers may be.
As a business owner, it is time to face facts: You are a whale.
Paul Rothman is Editor-in-Chief of Security Dealer & Integrator (SD&I) magazine. Access the current issue, full archives and apply for a free subscription at www.secdealer.com.