According to Clint Boulton the Senior writer at CIO; Fraudsters are using legitimate executive names and email addresses to dupe unsuspecting employees to wire money or sensitive documents to their accounts. The CTO of the Boston Celtics, for one, is fighting back.
A clever variant of phishing scams is proliferating among enterprises, forcing CIOs to up their game even as they are still refining their cyber security practices to contend with various zero-day attacks. Called whaling, the social engineering grift typically involves a hacker masquerading as a senior executive asking an employee to transfer money.
Jay Wessland, CTO of the Boston Celtics.
"We have seen a few of those," says Jay Wessland, CTO of the Boston Celtics. He says atypical example he's seen involves someone pretending to be CEO or CFO who emails a high-level employee in the finance department to wire money or W2 tax forms. He says whaling attacks, a form of business email compromise also known as "CEO fraud," have increased over the past few months.
FBI says whaling is becoming big trend
Whaling is becoming a big
enough issue that it's landed on the radar of the Federal Bureau of Investigation, which
last week said that such scams
have cost companies more than $2.3 billion in losses over the past three years.
The losses affect every U.S. state and in at least 79 countries. The FBI said
that it has seen a 270 percent increase in identified victims and exposed
losses from CEO scams since January 2015. For example, Mattel lost $3 million in 2015 to one CEO fraud scam, while Snapchat and Seagate Technologies also
fell prey to similar schemes.
Unlike typical phishing or spearphishing scams, in which an attacker typically includes a malicious URL or attachment, whaling is a pure social engineering hack targeting relationships between employees, says Steve Malone, director of security product management at Mimecast. Whaling fraudsters either gain access to an executive's email inbox, or email employees from a fake domain name that appears similar to the legitimate domain name. They ask the intended recipient to take some action, such as moving money from a corporate account to an account the fraudster has set up, Malone says.
Often,
the language and phrasing of the email request are designed to sound similar to
those that might come from CEOs, CFOs and finance staff. The note may begin
with a simple greeting, such as "Hello, how are you," and inquire if the
recipient is in the office, a seemingly natural query. Then they'll ask the
potential victim to trigger a money transfer, issue a bank payment, or email a
W2 or some other sensitive document. "There's no way to spy that as
bad," Malone says. "The content is human-written so a spam filter
won't pick it up and it's hard to detect because there are no links or
attachments."
Wessland
says such attacks are impossible to pick up with basic spam-filtering
technologies, noting that hackers will simply keep creating new fake domains
from which to send their targeted messages. "You have to inspect the
header of mail more intimately," says Wessland, who is responsible for
safeguarding 200 employee email inboxes.
Throwing a net around the whaling problem
Vendors such as
Microsoft, Proofpoint, Cloudmark and Mimecast are building tools to help
companies defend against these attack. Mimecast, which makes cloud software
designed to spot and quarantine phishing emails with malicious attachments and
URLs, has just launched a tool designed to harpoon whaling. Called
Impersonation Protect, the software's algorithms analyze the language content
of emails as they come in through a corporate server. It looks for key
indicators, beginning with whether the source name actually works for the
company.
The software will then
parse the email content for requests that includes keywords and phrases such as
"W2" or "wire transfer," and provides a probability score
that a target email is either safe or malicious. "One indicator in
isolation is not bad, but two together could be fishy," Malone says. A
third indicator - and one unlikely to be caught by one of the corporate
employees - is that the attackers will register a domain similar to the victim
company's name. For example, an attacker trying to spoof Mimecast employees
might register the domain header "Minecast" and send email from it.
CIOs can set policies in Impersonation Protect, programming it to reject
suspicious mail or quarantine it for review, Malone says.
The Celtics’ Wessland
says he will begin using Impersonation Protect in conjunction with Mimecast's
URL and attachment-protection software this month. "Hopefully the
automated tool will detect a lie and block or quarantine it and I can go and
review it," Wessland says.
How afraid is Wessland of whaling attacks? About
as afraid as he is of any cybersecurity threat and targeted attacks. He says he
uses a number of desktop antivirus, gateway antivirus and application security
tools to fend off attackers. "No matter what you do there always seems to
be things that happen and that’s a concern," Wessland says. "All of
those things keep me up at night."
No comments:
Post a Comment