Catching a big phish instead of multiple small ones
Phishing brought to the next level with your Instagram account
Nowadays we know that phishing in any of its forms can be extremely effective. By tricking their victims into believing their stories, adversaries can potentially gain access to sensitive data, workstations and potentially your organisation’s network. As phishers can easily duplicate existing websites and emails, the scenarios look better than ever. However, adversaries are now taking a turn to catch a few big phishes, instead of many small phishes. By leveraging real-life relationships and information that can be found online, phishers are now targeting organisation’s management directly in so called whaling attacks.
Information everywhere, personalise everything
Where cyber, increasingly meets the human factor, whaling is a perfect reason as to why many cyber incidents include phishing attacks. Whaling is a form of spear phishing, where mostly high value targets in an organisation receive highly targeted and personalised phishing emails. The beauty of these attacks comes from the information that it is based on. So how do adversaries get this information you might ask? The answer is as simple as it is trivial; we collectively give it to them!
Imagine you are for example a financial manager and you receive an email from your boss requesting you to do something for him. Of course you are intrigued, because it is your boss! But, your boss would never ask you straight away to change the bank account number for a big transaction right? Most likely, he wouldn’t. So far looks like a simple phishing attack you will recognize straight away. But now imagine that your company had some negative publicity last week. Also you are close with your boss and you had him and his wife over for dinner yesterday. Needless to say you posted on Twitter and Instagram about the dinner party you and your boss had.
Now imagine the same request from your boss. However, he first puts everything down on your personal relationship. Then, in relation to the recent news he asks you to quickly change the account number to prevent any further negative publicity about the company. Would you still think twice before acting?
The assumption here is that an adversary wouldn’t know any of this information, it might even be convincing enough to not to think about it twice. Who knows, maybe if you do a good job and everything is back to normal he will be so grateful. Little did you know that you not only funded the adversaries, but you also facilitated their cyber-attack onto the corporate network as you kindly launched their custom malware attached to the email.
“Dear John, Thanks again for the lovely dinner yesterday. We had a great time, and the food was lovely. Also great seeing your wife and daughter Lizzy, boy did she grew fast since last year!”
“In line with the recent publicity we got, I’d like to ask you to please change the account number for future transaction immediately. This to prevent us from getting the blame for all of this mess.”
So where do adversaries get all this information? Simple, Social media and networking websites. Places like YouTube, your organisations’ website, a marketing website, a hacked database with your personal information in it, maybe even your organisation’s own IT infrastructure, your company’s IP-ranges and the outdated software on the forgotten server that will give adversaries access to your corporate network anyway.
Do you see how a digital footprint extends from basic information about targets, to an organisation’s digital infrastructure towards a potential breach? From breadcrumbs adversaries exactly know how to identify anything about individuals and organisations. If adversaries find enough information, it doesn’t matter anymore if the whaling attempt fails. Of course, it would have been easier to get in with a little help from the inside. But if all else fails, adversaries might use some ‘old-school’ hacking to get onto your network.
So do you know your digital footprint? And do you know your organisation’s Internet exposure? Let us see if I can find the same information, or maybe even more about you. If you ask us kindly, we might also whale some targets, execute malware on your systems and test your physical and IT security measures. But do you think you are already secure?