Whaling: The Hunt for High Profile Business Targets

What are whaling attacks?

“Whaling” attacks, also called Business Email Compromise (BEC), are a newer form of phishing attack. Phishing attacks consist of messages sent to would-be victims that try to deceive them into clicking malicious links, or opening an attachment that contains malware. Phishing attacks have evolved drastically, in part due to growing awareness of such threats.

Spear phishing attacks are designed to target specific victims, as opposed to simply casting a wide net. Spear phishing often uses domains that are almost identical to real domains that are in constant contact with the victims, in an attempt to make the victim believe the phishing attempt is a valid correspondence.

A form of elaborate spear phishing, whaling usually targets c-level executives, i.e. the “big fish.” Usually, perpetrators send emails to a company’s CFO masquerading as legitimate correspondence from the CEO. Typically the messages request that the CFO transfer money to a specific bank account. When the scheme is finally uncovered, the money is long gone.

Where did these attacks come from?

Whaling attacks evolved from online banking frauds, which are a far simpler type of cybercrime. In banking frauds, the attacker steals a victim’s banking credentials and uses them to transfer small amounts of money. This form of attack was infamously used by the Russian and Nigerian mafia for nearly a decade.

Their modus operandi was to systematically target as many private users as possible and steal a small amount from each one, knowing that banks wouldn’t authorize large funds transfers from private customers. This was a very successful operation at first. Over time, both banks and users gradually became more aware of the threat and implemented stricter security measures, such as multi-factor authentication and IP monitoring to mitigate, but not eliminate,  these attacks.

Attackers realized that the effort needed to overcome these complex security measures was not worthwhile, as the return on investment was relatively low. As a result, phishing attack methods became more sophisticated and targeted, leading to the development of whaling attacks.

Given their highly targeted nature, whaling attacks require a relatively long and extensive reconnaissance phase, because so much information about the target company is needed. However, when they are successful, they yield far greater profits, as these “big fish” regularly make money transfers worth millions of dollars.

How are such attacks performed?

The following examples demonstrate the reality of this threat and how easily large companies can fall victim to such schemes. If you think you wouldn’t – wait until you read the below details from the Check Point Incident Response Team.


Stories from the Check Point Incident Response Team:

The Ubiquiti Networks case

In June 2015, Ubiquiti Networks Inc., a network technology company with a market cap of over $2 billion, was the victim of a whaling scam. In total the company was defrauded out of $46.7 million. According to Ubiquiti, “The incident involved employee impersonation and fraudulent requests from an outside entity targeting the company’s finance department. This fraud resulted in transfers of funds aggregating $46.7 million held by a company subsidiary incorporated in Hong Kong to other overseas accounts held by third parties.”

The company’s employees were tricked by the attackers, who used domains intended to look like the originals with only minor differences, such as adding a letter or punctuation. In addition, the attackers used fake email addresses. The Ubiquiti employees, who assumed they were getting legitimate transfer orders from their superiors, complied with the requests and transferred the money. Ubiquiti later managed to retrieve $8.1 million, but the overall damage was extensive.

The AFGlobal Corp. case

The AFGlobal Corporation case is relatively new public knowledge, and made headlines due to AFGlobal’s suit against its cyber-insurance provider over damages caused by the attack. The attack began with an email sent to the company’s accounting director, claiming to be from the CEO. The mail informed the accounting director that he was assigned to deal with a confidential file, and asked if he was contacted by a person named Steven Shapiro. The mail also instructed him not to discuss the issue with anyone else, and to communicate only via that email address, due to the file’s confidential nature.

The email was followed by a phone call and email from the alleged Steven Shapiro, telling the senior accountant to transfer $480,000 to a bank in China, supposedly needed for an acquisition. The accountant unsuspectingly followed through and sent the funds. A week later, he received a request to transfer an additional $18 million using the same email address, upon which he became suspicious, and the scheme was revealed.

Whaling – a growing and imminent threat

According to an FBI report, whaling attacks between October 2013 and February 2016 reached an astonishing cost of more than $2.3 billion, with 17,642 victims. These are almost unbelievable numbers, which emphasizes the seriousness of these attacks. As a comparison, an FBI report covering the time period from October 1, 2013 to December 1, 2014 stated a total loss of more than $200 million and 2,126 victims. While also a significant amount of money, it is clear there has been enormous growth both in the number of victims and in the damage caused in recent years. From January 2014 to August 2015 alone the rate of these attacks has almost tripled. In fact, the FBI issued an official alert regarding whaling attacks in June 2015. But, this is clearly not enough to stem the flow.

How can businesses deal with this threat?

As scary as these attacks sound, there are several security measures that can help you avoid them.

  • White and black listing. Security vendors create blacklists of fake domains, C&C servers, and any other unique identifier for known attacks. Once an email from a fake domain reaches you, a security warning will appear. Whitelists are created using similar, though reversed, concepts. They contain only trusted domains that will be permitted.
  • More comprehensive authentication solutions. Multi-factor authentication is the best and makes it much harder for perpetrators to steal certifications or impersonate legitimate users to infiltrate your systems.
  • Behavioral detection. This method is based on machine learning patterns of behavior in an organization and detects anomalies in the pattern, which may be caused by phishing.
  • Reduce the information flow. Try to minimize the information you publish regarding your employees and planned future transactions. Attackers can easily use such information to make their phishing attempts appear authentic.
  • More rigorous policies. Implement strict and clear policy measures that state exactly who is allowed to order transactions and what kind of authentication is needed for such an order. By putting these procedures in place and effectively communicating them to all employees (only), you can minimize the possibility of an outsider successfully infiltrating your company’s accounts.