SMX issues security alert on spear phishing and whaling attacks
07 September 2015, Auckland. SMX – the largest local provider of cloud email security services – has issued a security alert to its customers and
partners following increasing incidents of highly-sophisticated targeted email fraud (aka ‘spear phishing’) and
‘whaling’ attacks.
SMX’s co-founder and chief technology officer Thom Hooker says spear phishing describes a process of email fraud where
individuals are targeted within an organisation and attacked with a combination of social engineering and email spoofing
techniques to elicit funds. Whaling is where the same techniques are targeted at key senior executives, such as chief
financial officers.
He says SMX has seen live attacks unfold in real-time where, once they have a 'whale' hooked, attackers purchase brand
new domains similar to their intended victims in order to trick companies into transferring cash overseas. Attackers are
even following up with telephone calls prior to, as well as during, these attacks to further embellish the hoax.
In a blog on the SMX website Hooker describes a real life example of a whaling attack on a large SMX customer. The CFO of this company received an
email purporting to be from his CEO instructing the transfer USD$192,000 to an international bank account. The email
appeared completely legitimate, with the sender's email address displayed in the CFO’s mail client looking 100% correct.
The incoming email contained no malware or links to malicious sites that would trigger the multiple security filters in
place.
After the CFO responded, or was 'on the hook' to continue the phishing analogy, the phishing gang registered a new .com
domain name similar to the company's real domain and continued the email conversation from this new domain. That is, the
phishing gang waited until they had a whale on the line before they spent any money on embellishing their scam.
This is a really important point, Hooker says, because it demonstrates that these individuals aren't just playing a
numbers game and casting their net wide; they are identifying and targeting companies and senior individuals within
those companies and then refining their proposition based on responses from their targets.
“If the CFO involved in this scam hadn't had the presence of mind to query the reason for the request, which ultimately
led to this scam unravelling, this company would have lost a significant amount of money,” Hooker says.
“This story isn't uncommon internationally but is relatively rare in New Zealand. It highlights the importance of
security awareness training for potential whaling and spear phishing targets.”
In the security alert sent to customers and partners SMX recommends three key steps all companies and organisations should take:
1. Identify potential whaling or spear phishing targets within the organisation – these roles should include finance,
management and IT security
2. Conduct security awareness training for all identified roles – this training should include an awareness of these
types of attacks and familiarisation with the organisation’s security policies
3. Create and publish robust internal procedures for handling and identifying security incidents, responding to external
queries requesting information on senior company executives, and so on.
Depending on the industry, SMX advises that companies and organisations may need to conduct training across a wider
range of roles within the organisation.
The SMX security alert includes a link for full information on security awareness training published by the US National
Institute of Standards and Training (NIST): http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf
Thom Hooker warns that the sophistication and persistence of these attacks outside of the email flow means companies
should not rely solely on computer security and algorithms to protect them. Potential whaling targets need to be aware
that criminals are undertaking sophisticated attacks right now and to protect themselves appropriately.
Ends.