Story image

SMX warns Kiwi companies of 'highly sophisticated' email scam

07 Sep 2015

 Cloud email security firm SMX is warning its customers and partners about a security issue following increasing incidents of highly-sophisticated targeted email fraud (aka ‘spear phishing’) and ‘whaling’ attacks.

Spear phishing describes a process of email fraud where individuals are targeted within an organisation and attacked with a combination of social engineering and email spoofing techniques to elicit funds. 

Whaling is where the same techniques are targeted at key senior executives, such as chief financial officers.

Thom Hooker, SMX’s co-founder and chief technology officer, says SMX has seen live attacks unfold in real-time where, once they have a 'whale' hooked, attackers purchase brand new domains similar to their intended victims in order to trick companies into transferring cash overseas. 

He says attackers are even following up with telephone calls prior to, as well as during, these attacks to further embellish the hoax.

In a blog on the SMX website Hooker describes a real life example of a whaling attack on a large SMX customer. The CFO of this company received an email purporting to be from his CEO instructing the transfer USD$192,000 to an international bank account. The email appeared completely legitimate, with the sender's email address displayed in the CFO’s mail client looking 100% correct. The incoming email contained no malware or links to malicious sites that would trigger the multiple security filters in place.

After the CFO responded, or was 'on the hook', the phishing gang registered a new .com domain name similar to the company's real domain and continued the email conversation from this new domain. 

That is, the phishing gang waited until they had a whale on the line before they spent any money on embellishing their scam.

Hooker says this demonstrates that these individuals aren't just playing a numbers game and casting their net wide; they are identifying and targeting companies and senior individuals within those companies and then refining their proposition based on responses from their targets.

“If the CFO involved in this scam hadn't had the presence of mind to query the reason for the request, which ultimately led to this scam unravelling, this company would have lost a significant amount of money,” says Hooker.

“This story isn't uncommon internationally but is relatively rare in New Zealand. It highlights the importance of security awareness training for potential whaling and spear phishing targets.”

In the security alert sent to customers and partners, SMX recommends three key steps all companies and organisations should take:

  • Identify potential whaling or spear phishing targets within the organisation – these roles should include finance, management and IT security.
  • Conduct security awareness training for all identified roles – this training should include an awareness of these types of attacks and familiarisation with the organisation’s security policies.
  • Create and publish robust internal procedures for handling and identifying security incidents, responding to external queries requesting information on senior company executives, and so on.

Depending on the industry, SMX advises that companies and organisations may need to conduct training across a wider range of roles within the organisation.

Hooker warns that the sophistication and persistence of these attacks outside of the email flow means companies should not rely solely on computer security and algorithms to protect them. 

“Potential whaling targets need to be aware that criminals are undertaking sophisticated attacks right now and to protect themselves appropriately,” he says.

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.