Your weekly roundup of the latest infosec news, including a look at how cybercriminals use whaling emails to get critical information.
IN THIS WEEK'S SPOTLIGHT: EMAIL WHALING
Call me Ishmael and give me the highlights
Whaling is a specific variant of spear phishing that targets executives at a company. Cybercriminals create and send an email that looks like it’s coming from a colleague or other trusted source and ask for sensitive corporate information such as W-2s or corporate financial data. Some even ask for the executive to share wire transfer information, which the cybercriminal then uses to steal money from corporate accounts.
The FBI estimates that whaling attacks have caused over $2 billion in losses. Whaling attacks are successful primarily because cybercriminals take the time to craft emails that look and feel like legitimate emails from known colleagues. They check your LinkedIn to see who you are connected to and even make the email address and signature look like someone’s you regularly do business with.
Well, I don’t have to worry about that, we have a spam filter
Unfortunately, most of the techniques used to stop spam and phishing emails won’t really work on a whaling email. They are usually individually customized and sent by an attacker so they don’t show up as bot emails. Whalers rarely put malicious links directly into the email, rather they use social engineering to get access to login credentials, sensitive financial documents, or other confidential business data. Whaling emails are often used as the first step in gaining access to a corporate network and sending out malware.
So if I’m going to get these emails what should I do?
The good news is while your spam filters probably won’t catch whaling emails there are a few simple tips you can pass on to executive users at your company that can protect them :
- Confirm the “sender” really sent the email: Whaling attacks use real people and real email addresses to get you to send them confidential information. If you get an email asking for something that seems out of the ordinary or looks suspicious pick up the phone or walk down the hall and talk to the apparent sender. Confirm that they really sent the email and they really need that information. Avoid simply replying back to the email, since their account may be compromised.
- Don’t send important documents over email: The goal of most whaling emails is to get you to email sensitive information to the whaler. To protect against this, set a policy that important documents should be shared using a shared storage like Google Drive or Dropbox, physical storage like a USB drive, or printed out and given face to face. Whaling attacks won't work if you no one will send the information criminals need over email.
- Use multi-level authentication: Another good way to prevent someone from impersonating an executive over email is to use multi-level authentication. Setting up multiple layers of authentication in addition to just entering a password will help keep whalers from being able to mimic an executive’s email. Most 2-factor authentications require you to verify your identity using your phone making it much harder for cybercriminals to impersonate an executive without access to their smart phone.
For more tips, see our free IT Pro's Guide to Endpoint Protection.
INFOSEC NEWS YOU CAN USE
New research from the Ponemon Institute indicates the frequency and severity of malware attacks has increased "dramatically" since 2011, while 81% of survey respondents say employee mistakes pose the biggest threat. — Information Week
The surprise is that so many of the professionals polled thought it [compliance] would also effectively protect them from data breaches. — CSO Online
Since 2013, hackers have hit departments in at least seven states. Last year, five police and sheriff's stations in Maine were locked out of their records management systems by hackers demanding ransoms. — NBC News
Although the passwords in the breach were hashed, they were done so with the notoriously weak MD5 algorithm, meaning that plenty of the passwords could be figured out with the use of online tools. — Motherboard
Legitimate user credentials were used in most data breaches, with some 63% of them using weak, default, or stolen passwords. — DarkReading.com