What is whaling

Whaling is a form of phishing. In fact, is it a form of spear phishing. Phishing is an online scam that aims to reap private information from members of the general public, particularly login details for email, payment, and banking applications.

A typical phishing scam uses social engineering to impersonate a trusted party, often an authority figure and tricks the victim into voluntarily surrendering the target info. It often starts with an official-looking email. The email warns that you are about to lose access to an important site, for example, such as your email account. The body of the email includes a link to the website where you must enter your username and password. In this scenario, the email was sent from a fake address and the link goes to a page that copied the logo, layout, and graphics of the real site. When you enter your username and password to log in, that information is sent to the scammer.

With spear phishing and whaling, the end goal is the same: to gain access to a person’s account or accounts. The main difference between phishing and spear phishing/whaling is that the target of the scam is an individual. Whereas a normal phishing scam is sent to thousands of people in the hope that a few will click the link, a spear phishing email is only sent to one person or a very small group of people. The difference between spear phishing and whaling is that the target of whaling is usually a very important person — a big fish.

Who are targets of whaling?

Whaling takes a lot of time and effort and is part of a targeted campaign. It is personalized and tailored, and so requires a lot of research into an individual (called “doxxing“).

Blackmailers and gossip columnists use whaling to trick the rich and famous into giving away their secrets.

In the business world, hackers target executives and upper management to get them to wire money or glean insider information about the company’s activities. For example, if a merger is in the cards, getting shares in the target company before anyone knows about the deal would reap the investor a massive profit once the share value surges on the announcement of the deal. That information could be extremely valuable to the right person.

Another purpose of whaling in the business world is to get network and server access with a high-level administrator account, so network and systems administrators might be targeted. A skilled con artist can even use whaling techniques to get into the position where he can issue instructions as if he were an executive of the company.

What are whaling techniques?

There is no set strategy for whaling. However, the tools that hackers use in a whaling investigation are standard. Phishing strategies rely on calls to action in the emails, usually in the form of a link to a fake or infected site.

One avenue is cat phishing, where the hacker will pose as a friend of the target, or lure that person into a new friendship, either with the promise of sex or financial gain. A cat phishing exercise for whaling starts with research. What does the target like? For example, a gay man isn’t likely to be interested in nude pics of a woman. Someone who is into yachting could be hooked by an opening email that purports to be from a broker that has a sensational deal on one of the best yachts in the harbor. A wine buff could be tempted by an announcement of the arrival of a rare wine in stock, and a smoker could be hooked by the offer of a banned Cuban cigar.

So, the first step of a whaling campaign involves researching the target. The second step of the campaign could go along one of many avenues depending on the aim of the attack.

What attacks does whaling aid?

If the purpose of whaling is to get malware onto a company’s network through a high-level user account, then just getting the target to visit a web page could be enough. In this strategy, you would set up a web page that covers a subject of interest to the target. You would embed JavaScript in the page that could call on system resources on the target’s computer. The system resources contact a command and control server that will then download spyware and other malicious programs onto the executive’s computer. This is a fileless malware infection. An example of whaling used to facilitate a fileless malware attack is Operation Cobalt Kitty, which was launched against an Asian corporation in 2017.

If the scammer wants the executive’s passwords, then he is going to have to set up a form of phishing scenario, but for whaling. You will need to create a copy of the corporate login page and then send the target a spoofed email from the IT department asking him to follow a link to the page and log in. With a high-level user account, a hacker can log in at will, steal information, set up monitoring software, or destroy data.

Some whalers may attempt cat phishing. This involves posing as a friend, or establishing a rapport. This exercise could get the target to reveal personal information or details of ongoing negotiations. The information disclosed by the target could then be sold or used for blackmail.

Spoofing is a typical phishing method. It involves altering the information in an email header to impersonate a trusted entity. For example, an email display name can be anything the scammer wants it to be, or the email address might be made to look like it came from an official source. The forged site linked to in a phishing email can also be spoofed by using a URL or domain that appears to belong to the official site, but does not.  These are very common examples of spoofing.

Masquerading involves creating email addresses that seem to belong to a company or person, but actually belong to the hacker. This is necessary if the hacker wants a reply back. Although it is possible for a hacker to break into someone’s email account and send out an email, the scam could be quickly discovered and thwarted by the real account holder. Masquerading allows a hacker to pose as someone else without that person ever being aware of his doppelganger. According to Mimecast, masquerading accounts for 72 percent of whaling attacks.

In order to gain from a whaling attack, the masquerader would need to know the name of an executive and all of the people that person interacts with. It would be important to know the victim’s schedule and what activities that person regularly performs at the workplace. This builds a profile of acceptable behavior.

The next point involves setting up a copy of the target company’s website, or at least its domain, so it is possible to send out emails in that name. So, imagine that you want to pose as Barry Hartnell, CEO of Magimeg Corp in Houston, Texas. Let’s say that Magimeg Corp’s website has the domain magimeg.com. The scammer buys the domain magimegcorp.com and sets up an email account in the hosting account’s dashboard for barryhartnell@magimegcorp.com. They can then start sending out instructions to the CFO to transfer funds to an account in the Cayman Islands.

Such a scam would be more likely to succeed if the locations and the actions in your messages tie in with the person that you are mimicking. So, in the above example, if Barry Hartnell was still sitting in his office when you sent the email, the scam would collapse as soon as the CFO walked down the corridor to ask Barry for confirmation. However, if Barry Hartnell was actually in the Cayman Islands at the time on a trip to carry out a takeover of a local company, then the request for a transfer of funds would make perfect sense.

A whaling attack might not be as straightforward as telling someone to wire money. A company executive can also send out instructions to buy products, with payments going to a fake account even though those goods will never arrive. The HR director could ask the IT department to set up a user account with system privileges for the new network administrator who will be working from home. A hacker can achieve many damaging tasks thanks to a successful whaling expedition.

Examples of business whaling attacks

Corporations that have been stung by any type of hacker attack often don’t want any news of the attack to leak out. So, it is very difficult to get a full picture of the prevalence of whaling. The Operation Cobalt Kitty example given above is one instance where a whaling expedition was used as an entry point for malware onto a company’s network.

It seems difficult to believe that any company would have systems in place that allowed an executive to have money wired out just by sending an email, but many do. Hackers got employees at Ubiquiti Networks to transfer $46 million in 2015.

In what was probably the most profitable whaling scam of all time, a Belgian bank, Crelan, was conned through whaling into transferring more than 70 million Euros.  The gains from a successful whaling expedition are potentially massive, which is why it can be worth the time and effort for a hacker team to go into very detailed research on a target and the people that surround him or her.

How can I protect my company against whaling?

No matter what detection methods you put in place, there is probably a hacker that can get around it. For example, if an executive or an administrator is blackmailed, the instructions that implement the theft will actually originate with the real person in the organization and not a con artist pretending to be that person.

As with any type of corporate defense strategy, business procedures should guard against giving a single person too much power or unrestricted access to all of the resources of the company.

In cases where whaling is used to sneak malware through a high-level account, tighter access controls would block the infection, reveal it, or at least limit its spread. In the case of Operation Cobalt Kitty, for example, using the executive’s account enabled malware to replicate all over the network and into servers and databases. Requiring separate logins for different resources and using two-factor authentication can prevent the spread of malware and limit the infection to the target’s desktop computer.

Some whalers just want to get the target to open an infected link. So, a company policy should state that no one, not even executives, should use the company’s resources for their private web surfing. Similarly, you should ban all system users from accessing private email on the company network and educate all users about the dangers of attachments. As much of the research of whaling focuses on the personal life of the target, shutting down personal use of company resources will block a lot of the tricks that whalers hope to use in order to gain access to the company network.

Getting an email server that can analyze the addresses of correspondents and filter spam emails can help root out masquerading attacks.

User device tracking software is another useful defense against the consequences of whaling. Multiple logins by same user in several physical locations should highlight compromised accounts.

How can I protect myself against whaling?

The starting point of whaling is doxxing — research into a person’s life. Unfortunately, the popularity of social media and the tendency of people to brag mean that it can be very easy to compile detailed information on the lives of the majority of the population. If you don’t want people to know about your life, don’t post details on social media. Only accept friend requests from people that you know and ask your friends and relatives not to post comments about you online. Don’t be tempted to talk about your own life in any Twitter feeds, just stick to business issues. Also, try to limit the information you write about yourself on LinkedIn.

Stripping out personal details from any online profile will help you to limit your exposure to whaling. As a high profile individual, it would be a menial task to discover where you worked in your last job, and a scammer could use that to establish contact with you. Whatever information is out there about you, be cautious about anyone who is over-friendly in business exchanges and don’t be tempted by calls to action that instill a sense of urgency.

Many phishing attempts try to frighten the target into disclosing information or visiting login pages. Read all emails with skepticism. If you receive a warning that an online service you use for business is about to be closed unless you take action, contact that service’s customer support team directly rather than following the instructions in the email. Never click on any links in those warning emails and never download attachments. If in doubt, call the business that the warning email is supposed to be from.

Be aware of doxxing and whaling

Whaling and its supporting practice of doxxing are relatively new techniques. As types of scams become well known, their effectiveness shrinks. Whaling has proved successful in the past, but you can be part of the solution. Don’t be too trusting in your business dealings and don’t regard business contacts that you have never actually met as anything other than strangers. Be sure to verify the identities of people whom you do know online through some means other than email.

Image: Crackers by elhombredenegro via Flickr. Licensed under CC BY-SA 2.0