"Some people can read War and Peace and come away thinking it's a simple adventure story. Others can read the ingredients on a chewing gum wrapper and unlock the secrets of the universe."- Lex Luthor “Superman” (1978).
So, what does chewing gum have to do with the secrets of the universe? If you asked yourself that question, you’re in good company because that was Eve Teschmacher's response to Luthor in the movie. That's the question we’ll be discussing in this article with the goal that you too will be able to look at that gum wrapper and uncover the secrets hidden inside.
Also, just like the Superman movies, this article will evolve into a series in which we explore various social engineering methodologies and how they have developed over time, thus furthering your understanding of the hacking universe.
In this installment that I'll call "one phish, two phish, red phish, holy crap is that a white whale?" we will examine phishing and how this technique has evolved into whaling.
What is Phishing?
Phishing is the fraudulent practice of sending emails purporting to be from legitimate companies to induce individuals to disclose private data, such as passwords and other sensitive information. The problem with this technique for the attacker is that the return on investment (ROI) can be very low.
Let me elaborate with a little story from my past. After my first company's success and sale, I wanted to get out of the tech industry. I had made my money and wanted to get into a business that was always a passion of mine - cigars. When I opened my cigar store, I was a little lost when it came to advertising. I did my research and tried a few things from TV ads to premium listings in the YellowPages (that's the phone book, for those who aren't old enough to remember). After some time, I found that none of these options brought me the return on investment that I wanted.
Then one day a salesperson from a coupon pack company came into the store and presented me with the opportunity to place an advertisement in their monthly mailer. The price was right, and I hadn't tried it, so I gave it a shot. Within a short period, I got the results I wanted: a small investment and a substantial return. It was awesome. After a few months though, the rate of new customers started to dwindle. I had hit a wall, because I was a retail shop and customers will only travel so far for a product. The rate of return on that mailing list eventually became not worth the effort/money.
That's fundamentally the issue of the phishing email lists that malicious actors use. Many of these actors share their records, and users/email providers have gotten wise to this and have become much better at blocking the scattershot techniques they use. Now, to be clear, these emails still get by many blocking services and users continue to click on them. That said, the number of people clicking has continued to decline with all these security layers in place, alongside more traditional corporate employee training.
So, what's a malicious actor to do? They pivot and change their technique from hoping for shrapnel to strike lots of lower value targets, and instead going the sniper route - a much more targeted campaign aimed at a few high value targets.
Introducing Whaling
Whaling is the next step up in the evolution of phishing. Instead of doing a “spray and pray,” you target specific members of an organization with carefully researched hooks in the hopes of getting the recipient to perform the desired action.
Most phishing emails are pretty generic and follow the same formula: "We noticed unusual account activity... click here to secure your account" is a very common lure and most phishing emails follow this general template. When it comes to whaling, however, the stakes are much higher so the email must be much more specific. That requires more work on the part of the cyberattacker, but the reward is potentially so much higher.
Let's look at how these campaigns work, step by step, from an attacker’s perspective:
- Step 1. Select the company that you want to target.
- Step 2. Identify areas of the company that contain the data you would want.
- Step 3. Use resources like LinkedIn and other social media platforms to identify the targets who control this data – the company employees.
- Step 4. Identify the correct contact information for the targets. If the target's data (work email) is not available, identify the company's naming convention for email. To discover the company's naming convention, start by creating a burner email account (Gmail etc.) and send bounce tests. A bounce test is a way to confirm the naming convention and the correct email address. You create an email with a subject line of "Test" with no context in the email and send it out to the various conventions.
- Example: First.Last@domain.com, FirstInitialLastname@domain.com,
First_Last@domain.com, etc.
- From there, you see what bounces back and what doesn't. Whatever doesn't bounce back is most likely the correct email address of the target. - Step 5. Research who the company deals with/partners with and send an email spoofing that company's domain with some measures to coax the target into performing the desired function.
- Step 6. Rinse and repeat with other targets in the company. Valid targets include executives, finance, human resources, IT, and anyone that would have access to the desired data.
How Can You Combat Whaling Campaigns?
To combat whaling campaigns, you follow the same training practices as phishing drills but ensure they are more specific to the user’s day-to-day functions. For example, instead of sending users a generic message about their account activity, an attacker may:
- Send the finance department an invoice from a vendor that they are already working with but with a different routing number (vs. the one the vendor typically uses).
- For the marketing department, an attacker might try something like a confirmation of a press release broadcast with a Word document attached, to see who downloads and opens the document.
- For the executive team, try sending an email containing a clickable link as if you were the CEO or a member of the board.
In conducting these drills, you need to think like an attacker so that you can provide employee training around whaling and the dangers it presents. This may be time consuming, but cleaning up after a company breach is far more so.