Whaling attack, when criminals think they are Captain Ahab

The whaling attack is a phishing attack that targets corporate executives to obtain critical information or commit large-scale fraud

Many cybersecurity concepts have their origins in centuries-old human practices. One such term is whaling, a fishing activity with an ancient tradition that today also refers to a malicious practice: launching social engineering attacks targeting corporate executives.

Whaling is a sophisticated variant of phishing, the type of social engineering most commonly used by malicious actors. The concept of phishing originates in a play on the verb «fishing» to refer to the fact that criminals launch campaigns (as if they were fishing nets) to deceive people and companies and see how many of them bite. While phishing aims to catch all kinds of persons, whaling only targets the «big fish» in companies.

So the criminals behave as if they were Ahab, the captain obsessed with hunting Moby Dick, the most famous whale in history created by the novelist Herman Melville.

Instead of using harpoons to catch their victims, malicious actors impersonate companies trusted by their victims and send them emails to establish a communication relationship that allows them to achieve their goals: to get the victim to access a malware-infected website, download an infected document, perform a specific action or provide confidential information.

Below, we will unpack the keys to whaling and how to deal with a threat that can be difficult to detect, even more so after the irruption of generative AI.

A type of targeted phishing where preparation is critical

In whaling, unlike in essential phishing campaigns, it is paramount to carry out prior research on the victims. This applies both to the executives themselves and to their companies.

First of all, a victim must be chosen. What factors are taken into account? The characteristics of the company in which they work, as well as the targets of the attack.

Secondly, the victim must be investigated to obtain as much information about him as possible. To do this, their digital presence is tracked. Data is sought on corporate websites, and their profiles on social networks are consulted, especially those with a professional focus, such as LinkedIn. Basic contact details such as email or even personal telephone numbers are collected.

Thirdly, the actual operation of the attack is prepared:

• Impersonate an organisation’s identity that generates trust in the victim by copying the visual identity of its emails, using email addresses and URLs that appear legitimate…
• Prepare the messages to be sent to the victim to deceive them.
• Develop or acquire malware if you use a malicious program to obtain information.
• Create a website to redirect the victim to a page infected with malware.

Four malicious whaling targets

What are the objectives of malicious actors conducting a whaling campaign? These are, essentially, some of the usual targets of cybercriminals:

• Steal confidential information about the company: customer data, strategic information…
• Obtain access credentials to software, networks and corporate systems.
• Carry out financial scams by getting the executive to authorise false financial transactions. This objective relates whaling to another type of phishing: CEO fraud. However, in this technique, the manager is not the direct victim, but his identity is impersonated to deceive a professional who is in his charge.
• Spy on executives to obtain business secrets and sell them to competitors.

Five critical elements of a whaling attack

Why can whaling attacks be successful? This phishing typology combines five elements that make it difficult for victims to detect:

1. Appearance of reality

The appearance of the email received by the victim does not raise any suspicion because it is consistent with the visual identity of the impersonated organisation. The domain of the email does not look suspicious either, and the information contained in the message does not raise suspicions. Moreover, malicious actors can also produce supposedly corporate documents that turn out to be truthful. As noted above, the better the preparation for the whaling attack, the more likely it is to succeed.

2. Sense of urgency

In any whaling attack, malicious actors want their victims to take action. To prevent this action from being carried out without the victim having time to reflect on the integrity of the message, they seek to generate a sense of urgency in the victim. Think, for example, of a business partner who offers a manager a desirable offer to purchase a certain product or service. However, the offer has an expiration date, so the victim is asked to make an immediate bank transfer.

3. Insistence on confidentiality

Many business transactions must be carried out discreetly, so requesting the victim’s confidentiality is not unusual, and alarm bells should not be set off.

4. Reinforcement of trust

If, despite the above elements, the targeted manager is suspicious about the email exchange, criminals can supplement the use of email by making phone calls to dispel their victims’ doubts and gain their trust.

5. Bypassing anti-spam filters

Basic phishing campaigns are launched against thousands of emails, which is why email managers have developed filters to prevent this type of message from reaching users’ main inboxes. However, the detection of a whaling attack is much more complex because large volumes of identical messages are not sent in large volumes.

Three examples of a whaling attack

The characteristics of a whaling attack depend directly on the objectives of the malicious actors launching the attack.

Over the past few years, Tarlogic’s cyber intelligence professionals have researched this phishing technique to detect the TTPs employed by malicious actors and identify their operations. In light of their experience and the knowledge they have generated and systematised during this time, three examples of whaling attacks stand out:

1. Malicious link. The hostile actor proposes to the victim a videoconference meeting to negotiate a contract or offer him a job proposal. To do so, he sends him a link from which he can access the meeting. However, the link points to malware such as ransomware or infostealer.
2. Transfer redirection. There have been cases in which criminals can intercept an email conversation and impersonate one of the parties to get the victim to make or authorise a payment to the criminal’s account.
3. Request for salary information. The malicious actor asks a manager with responsibility for the company’s human resources management for information on the salaries of the organisation’s professionals. This data can be of great interest to the company and damage the company’s talent attraction and retention strategy.

Can generative AI be used to refine attacks?

The use of generative AI systems that can create text, images and audio and serve to snip code, create websites and even assist in the development of malware poses a huge risk.

This age-critical technology allows malicious actors to refine their operations and make whaling attacks more credible. It does all this without requiring plenty of financial resources and reduces the time it takes to prepare for attacks.

Of course, identity theft is also more difficult to detect. It is possible to clone a person’s voice to impersonate them in a call and convince the victim that a communicative exchange is accurate.

How to deal with whaling

A whaling attack can have harmful consequences both for its direct victims and the organisations in which they hold positions of responsibility, and for the companies whose identity is impersonated.

For this reason, many companies hire cyber intelligence services to combat digital fraud and detect whaling campaigns in which fake websites and domains that pretend to be legitimate are created.

In addition, all companies should take the possibility of a whaling attack seriously. If malicious actors accomplish their goals, companies face direct financial losses, data theft, hijacking or exfiltration, reputational damage, penalties and legal disputes in case the personal information of customers or employees is leaked.

Prevention and response

What can companies and their managers do to protect themselves against a whaling attack?

1. Undergo a social engineering test that specifically tests the resilience of the organisation’s senior management to a whaling attack. This kind of security test helps raise awareness and train a company’s managers, equipping them with the necessary knowledge to detect fraudulent situations and act with caution when sharing personal or professional information through their social networks.
2. Conduct regular web application security audits to detect, prioritise and mitigate vulnerabilities in their technological infrastructure that can be exploited by malicious actors who, for example, have managed to get a manager to download malware on a corporate computer or who wish to intercept email conversations.
3. Have security mechanisms and policies in place to prevent fake emails from reaching the inboxes of managers, particularly all professionals.
4. Have an incident response team that can act from minute 1 to contain an attack, identify the compromise and expel the malicious actor before it achieves its objectives.

At the end of Moby Dick, the whale was able to drag Ahab to the deepest depths of the sea. Cybersecurity professionals have the knowledge and tools to deal with a whaling attack and protect managers and businesses from malicious actors so they fail in their journey through the corporate seas.