If you work in finance or accounting and receive an email from your boss asking you to transfer some funds to an external account, you might want to think twice.
That's because so-called "whaling" attacks -- a refined kind of phishing in which hackers use spoofed or similar-sounding domain names to make it look like the emails they send are from your CFO or CEO -- are on the rise, according to security firm Mimecast.
If fact, 55 percent of the 442 IT professionals Mimecast surveyed this month said their organizations have seen an increase in the volume of whaling attacks over the past three months, the firm reported on Wednesday.
Those organizations spanned the U.S., U.K., South Africa and Australia.
Domain-spoofing is the most popular strategy, accounting for 70 percent of such attacks, Mimecast said; the majority pretend to be the CEO, but some 35 percent of organizations had seen whaling emails attributed to the CFO.
"Whaling emails can be more difficult to detect because they don't contain a hyperlink or malicious attachment, and rely solely on social engineering to trick their targets," said Orlando Scott-Cowley, a cybersecurity strategist with Mimecast.
(Score: 4, Informative) by TheRaven on Saturday December 26 2015, @09:24PM
sudo mod me up
(Score: 2) by Thexalon on Saturday December 26 2015, @09:49PM
Wouldn't that be relatively easy to track after the fact? I mean, the victims have the account number for the scammers, and it would seem like it would not be a stretch to figure out "Hey, a fraud has been committed here. Hey bank, who was that guy?"
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 0) by Anonymous Coward on Saturday December 26 2015, @09:55PM
Wouldn't that require that you first know their NNA identification number?
(Score: 0) by Anonymous Coward on Saturday December 26 2015, @11:33PM
Sure you can get the first person, who is likely a mule off of Craigslist. But then you have to find out who they sent it too, and that might be another mule or an offshore account which is under a different jurisdiction. There is only so much the Feds can do to trace money like that.
(Score: 3, Interesting) by bziman on Sunday December 27 2015, @02:41AM
Outside of the United States, you don't have to submit a blood sample and a first born child to open an account capable of receiving a wire. Even in the United States, it is easy enough to fake the required documentation to open an account. The trick is you only have the account open long enough to receive funds from all of your scams over the course of a day or two, and then you transfer the money out to another account where you have the money converted to a cashier's check or cash or whatever. If you run the money through a country with poor controls, and you make off with the money before anyone has bothered to investigate the accounts, you can get away with this.
(Score: 0) by Anonymous Coward on Saturday December 26 2015, @09:55PM
If pisses me off every time I sign up for a bank account, the user agreement says something to the effect:
Why the hell not?
There is even more [openpgp.org] than one [office.com] standard for signing or encrypting e-mail (SHA-1 weakness asside).
(Score: 1, Insightful) by Anonymous Coward on Saturday December 26 2015, @10:09PM
I suppose S/MIME may not mitigate close domain attacks. If you know an organization using it internally, you can make your phishing message even more convincing by signing it with a similar-looking domain. That may produce a paper trail though.
(Score: 2) by wonkey_monkey on Saturday December 26 2015, @10:13PM
There is [...] more than one standard
Well, there's the first problem...
systemd is Roko's Basilisk
(Score: 2) by AndyTheAbsurd on Saturday December 26 2015, @10:24PM
Because a very large proportion of the population is either unable or unwilling to use secure e-mail. (I could even argue that a considerable proportion of them are incapable of understanding what "secure" means in this sort of technical context.)
Please note my username before responding. You may have been trolled.
(Score: 0) by Anonymous Coward on Saturday December 26 2015, @11:28PM
Maybe the banks should just provide an email service to all customers, with enforced PGP. All bank statements and online bills get sent there. Have to login to bank's website to use it. Etc.
(Score: 3, Insightful) by Anonymous Coward on Saturday December 26 2015, @11:53PM
> Because a very large proportion of the population is either unable or unwilling to use secure e-mail.
And that is not their fault at all. The user experience for all of these implementations is shit. It's like trying to drive a car with reins instead of a steering wheel - it can be done at very low speed, but trying to use it as your primary mode of transport and it quickly moves beyond the ability of a mortal human to use safely. Wide-spread adoption of secure messaging absolutely requires a comfortable user interface.
(Score: 3, Insightful) by AndyTheAbsurd on Saturday December 26 2015, @10:26PM
Anyone who's taking this sort of direction over e-mail, and not walking over to/calling up the boss and double-checking this sort of thing, deserves to get fired for stupidity.
So basically what I'm saying is that the solution for social engineering attacks is social checksumming.
Please note my username before responding. You may have been trolled.
(Score: 2) by The Archon V2.0 on Saturday December 26 2015, @11:08PM
If only we had that level of control. We got hit with a whaling attack two weeks ago. At least (I'm not completely in the loop) four high-ranking members of the finance department got hit. Three reported the e-mail or spam-binned it because they had the brain to realize the CEO didn't change writing style/"accent" since his speech to them the day before. Or maybe they saw that the special highlight next to internal e-mail addresses wasn't there. Or maybe they got up and walked the 50 feet to ask him.
The fourth sent our BYOD iPhone/Android support guys an e-mail saying she'd been getting e-mails from the CEO but his instructions were getting confusing and she needed help.
Well, I suppose we know IT's ticket escalation rules are working, if that got where it needed to go....
(Score: 0) by Anonymous Coward on Saturday December 26 2015, @11:23PM
Anyone who's taking this sort of direction over e-mail, and not walking over to/calling up the boss and double-checking this sort of thing, deserves to get fired for stupidity.
Just don't videochat with your boss to double-check, because now that can be faked too. [educationaltechnology.ca]
(Score: -1, Offtopic) by Anonymous Coward on Saturday December 26 2015, @10:35PM
Well, off tpoic, but there used to be native whales off the coast of whaling japan.
Now they have to cross the equator to find fatty meat for the non nuclear night lamp
(Score: 0) by Anonymous Coward on Saturday December 26 2015, @11:53PM
The email really did come from your boss? I've seen some crafty stunts from bad bosses screwing the company. Some are really good, shuffling paperwork, transposing numbers, fake customers, refunds to friends, etc.
(Score: 0) by Anonymous Coward on Sunday December 27 2015, @02:26AM
Seems like this problem could be lessened by having an intranet with an in-house mail service, and sending all internal e-mails over that. Trouble is, it would require an IT staff to maintain the thing.
(Score: 1) by anubi on Sunday December 27 2015, @06:47AM
I have been an advocate of computer security since I got my first ANSI bomb and realized how dangerous it was to mix code and data.
A lot of that has been directed toward privacy, as personal data in the wrong hands results in precisely the kind of "social engineering" this topic is all about.
This is why I have been so reticent about visiting sites requiring me to disable popup blockers and require me to enable javascript, when I know good and well how many times I have had things like remote-access-trojans (RATS), potentially unwanted programs (PUPS), keyloggers, and other craplets uploaded to my machine through scripts.
I note how fast our Congress penned law to hold US accountable for things like copyright violation ( DMCA ), yet continue to let the businessman off the hook for his carelessness by continuing to consider the hold harmless clauses in EULAs to be valid. A congressman after my own heart would have required businesses to drop the hold harmless crap in exchange for the DMCA enforcement stick. But that would have required a Congressman to disappoint a Lobbyist, and that just ain't gonna happen with today's lot of Congressmen.
In a way, I am glad to see this happen - especially to bankers - as it will illustrate the point we have been trying to tell them about. I understand they have business backgrounds, steeped in obedience to authorities, whereas people like me have a technical background and know machines are absolutely no respecter of people's authority and are bound by no man's law. They simply do as they are told, and if you are careless and let the wrong people tell them what to do, the machine will happily do just that - no matter what the machine's owner thinks of it.
As business tries to subordinate their people to "work like clockwork" ( again, a machine ), the whole organization begins succumbing to the very weakness machines have: blindly following instructions.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2) by darkfeline on Sunday December 27 2015, @01:09PM
In Soviet Russia, what you sow reaps you.
Join the SDF Public Access UNIX System today!