28 Jan 2020

Whaling can be a GRUsome Affair

It’s an election year, so it should come as no surprise that Russian military hackers are ramping up their efforts to wreak havoc on US elections. The NY Times reported on Jan 15 that hackers from a shadowy intelligence unit called GRU have been trying to gain access to Burisma, the Ukrainian gas company at the heart of the current impeachment trial. While it is not yet clear what the hackers found, it is likely they were trying to dig up potentially damaging info on Joe Biden and/or his son, Hunter. Very similar tactics were used during the last presidential campaign with regards to the hacking of DNC emails.

So how exactly are these hackers doing these hacks? The answer is spear phishing. And what is spear phishing? Spear phishing uses fraudulent email messages specifically targeting higher-ups within an organization–CEOs, CFOs and others who have access to highly sensitive information.

According to the Times, the hackers set up fake websites that looked almost exactly like the sign-in pages of Burisma subsidiaries. They targeted these emails at key executives along with email blasts to more rank-and-file employees.

Unfortunately, someone at Burisma took the phish bait and logged in via one of these fraudulent pages, which gave the hackers access to a lot of potentially sensitive information. Considering how relatively inexpensive and easy it now is to execute one of these phishing campaigns and the gazillions of people that are available to trick, those in a position to guard sensitive computer systems and client or financial data should take head.

But most of us are not high profile enough for foreign governments to care about what we know or have access to. What we need to worry about is something far trickier: very clever Internet thieves going after a bigger prize using trickery called “whaling”. No, Internet Whaling is not something out of a Melville novel. This is a very clever email impostor scheme that is very difficult to detect and that targets a company’s accounting, HR, and payments staff or those that can request payments to be made.

These thieves have figured out that with a little bit of research using LinkedIn recruiter tools, they can map the hierarchy and positions within companies. They then will send specific staff emails looking like they are coming from their boss or boss’ boss, asking them to do some basic task that, after a few back-and-forth emails, often results in a request for a (fake) invoice to be urgently paid by wire transfer or electronic coupons to be purchased (supposedly for client gifts).

It is fantastically successful, as many of these staffers, after an informal email exchange with the hacker posing as the boss, quickly respond to what appears to be urgent internal requests.

A few years ago, the FBI reported that staffers in the US had mistakenly wired $1 billion to these thieves or set up auto-billing that would send recurring payments on fake invoices. Today, in the US alone, the total is north of $5 billion!

And, there is no end in sight to hacker innovation!

The latest… Rather than targeting one staffer to get one payment sent, these creative cyber sleuths are identifying those billing contacts that often send invoices to client payment contacts. Armed with purchased or stolen client lists, they are contacting the target company’s clients and sending out a mass notice that the payment address has changed. They then ask the clients to update their payment systems where, you guessed it, the updated payment address directs funds from client invoices to the Internet thief’s account. This is very successful, especially when the thief intercepts invoices sent by unencrypted email, changes the payment details and then forwards them along to the client looking as if it is coming from the familiar billing contact.

Tech Essentials was the first to identify these hacker tactics (click to read our original article on whaling); and RPost was the first to develop a specialized anti-whaling detection service that runs inside Microsoft Outlook when the RMail email security add-in is installed. This anti-whaling technology is enabled by default at no extra cost.

Additionally, Tech Essentials recommends sending invoices using RMail encryption to minimize risk of interception.

You can install the free RMail for Outlook with RMail’s encryption and Anti-Whaling technology enabled now and protect your organization from whaling attacks. And feel free to review  RPost Tech Essentials past blog and videos discussing anti-whaling in more detail.

Zafar Khan
Chief Executive Officer, RPost
Tech Essentials Author

Try RMail at no cost, with no credit card needed (click for your Gmail or Outlook RMail app).