Email scammers have wised up to the fact that an attachment with a malware payload or a dodgy link to a phishing site makes it easy to detect their inbound attack.
A new type of attack, called “whaling” – somewhat like phishing but aimed at the ‘big fish’ in organisations – uses pure trickery, with no attachment or link to siphon large amounts of cash or valuable data.
Scammers send emails that take carefully researched knowledge about senior individuals in a company to other executives, hoping they’ll be fooled into transferring money or valuable data out of the network. Ubiquitous social media makes constructing this kind of fraud scenario dramatically easier than just five years ago, says Lennon.
“LinkedIn telegraphs company org structures to anyone who wants them now, so identifying top executives who deal with each other every day is the easy part for scammers,” says Lennon.
“A CEO may ‘check in’ to an airport on Facebook or Twitter to boast to pals that he’s off to San Francisco. But he’s also just told a scammer that he’s going to be offline for 14 hours, providing the perfect opportunity for fraudulent activity that he won’t be online to detect.
“The scammer then registers a domain name very similar to his company’s legitimate domain name, and takes some language from existing social media posts to write an email familiar in tone to the company’s CFO. The email requests payment for an overdue invoice by wire transfer, that the fake CEO claims not to have the paperwork for right now because he’s about to get on a plane.
“The CFO, receiving an email from an address that only varies in one character from the legitimate address and with facts that match what she knows is happening in real life, acts on the urgent request. When the CFO replies to the CEO’s email, the “reply-to” redirects to a different email address again, but the busy CFO doesn’t notice, and the CEO won’t even see the reply when he lands. By the time the fraud is picked up, the money is long gone and out of reach of the company’s bankers.”
Although this sequence of events might sound unlikely to happen given the checks and balances that should apply in a robust corporate financial system, it is, nonetheless, succeeding on an alarming scale. “The FBI recognised 22,000 attacks like this in the last three years, with losses of $A3.1 billion,” says Lennon.
Putting a harpoon in the whalers’ tactics
Given there’s no malware or link to detect, stopping these kinds of attacks requires technology that can look beyond the email itself. Lennon explains that when Mimecast evaluates for whaling risk, it uses five key factors among others, one of which is querying the domain the email comes from and querying domain name registration information to see how recently the domain was registered.
“In most companies, people won’t be doing business with domains that have been registered in the last few hours,” says Lennon. “The security solution needs to be granular enough to be able to rate that risk appropriately – if the email is sent to a senior member of a company from a brand new domain, it’s a higher risk than if sent to a sales team.”
Other factors that Mimecast considers are how closely a domain name resembles the company’s official domain – for a variance of just one or two characters designed to trick the eye. It also uses a constantly evolving dictionary to detect words that might indicate a heightened risk such as “wire transfer”, “pay this invoice” or “payroll”.
It’s even smart enough to look at an email and uprate the risk if the descriptive “from” name matches an individual in the organisation’s Active Directory, but the email doesn’t actually originate from within the company.
“Scammers are very good at constantly evolving their techniques, so Mimecast needs to be agile to rapidly develop new detection methodology,” says Lennon. “Our almost 20,000 customers actively participate in a very active community, that gives us intelligence into the latest attempts at deception so we can quickly evolve our techniques.”
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.