The story about the Phish, the Whale and the Spear

November 24, 2019 | By Avi Walles, TSOC Manager and Michael Wainshtain, Endpoint Technical Team Leade

Phishing is the term for a type of social engineering attack in which the attacker pretends to be a legitimate person\organization in order to lure the victims to provide sensitive information like their credit card numbers, username & password, social security number, and much more private identities.

There are several channels used for contacting the victims such as email, text message, and even a phone call. Usually, the sender poses to be a known legitimate source and offers some benefits or incentives to make the user or potential victim open it or answer the call.

Phishing is part of initial access layer on MITRE matrix. This method is very easy to use, and no special knowledge and cost needed to initiate a simple campaign with various open-source automation tools. That’s why so many malicious campaigns are using phishing as their initial access vector.

When criminals target members of a specific organization, this kind of attack is referred to as spear phishing. On most occasions, spear phishing is carried out by well-organized and highly-sophisticated attackers. The attackers spend a great deal of time researching their targets. Most of the time, they are sponsored and usually have a disastrous “bigger” plan, unlike cybercriminals who just want some quick money.

However, whale phishing is a type of spear phishing that mainly targets high-ranking individuals within an organization, be it the CEOs, CFOs, and other executives. The primary reason for this attack is to use their authority to convince unsuspicious employees to release sensitive information about the organization and/or perform a specific action such as releasing a contact list or sending a payment.

Let’s summarize: Phishing, spear phishing, and whaling attacks share many similarities – all involve using impersonation to elicit information or money from a target.
However, there are few differences:

– A typical phishing attack takes a “quantity over quality” approach to scamming. The attack is simple, relatively easy to identify and distributed to thousands or millions.

– Spear phishing is more specific. These attacks target a specific organization or an employee in order to gain sensitive data regarding the specific organization.

– Whaling is a type of spear phishing; it focuses on high-ranking, high-value target(s) in a specific organization, who have a high level of authority and access to critical company data. This kind of attack might take weeks or months to prepare, and the emails used in the attack will be very much convincing.

TSOC, TrustNet`s security operation center, encounters a big number of phishing attacks on daily basis, from simple SPAM phishing mail to a sophisticated threat actor that hacked a CFO mailbox and edit the email address of the company suppliers, using Microsoft Outlook NK2 file (which allows a user to create a nickname and assign the name to an e-mail address).

Additionally, we observed increase in the use of data sharing platforms for phishing campaigns in order to avoid detections by the domain name (as newly registered domain, whose certificate and others require encryption). The attackers using a shared link of SharePoint/OneDrive etc. that may lead to a WEB page requiring the user to type his credentials in order to “inspect some content”. It can be an O365 fake page or any other service.

In the cloud where there are many interfaces exposed to the world, especially when not all of them covered by a second factor, it makes the attacker work even more efficiently by getting from initial credential exposure to production compromise in no time.

Modern mail relays have capabilities to deal with malware and malicious URLs but even with advanced URL inspection engines, they cannot identify any fake page stored on legitimate domain. They are also using technologies like SPF to identify spoofing but the attackers can use a real registered domain with valid SPF record editing only with the sender’s display name or very similar domain name or both. Also, most of the organization don’t define the SPF in block mode (because it’s too noisy and there are lots of FP’s).

The solution for that vector includes involving the user, creating user awareness and organizing mandatory periodic training. This must be combined with an efficient way or feedback system for the user to report any suspicious emails, giving the SOC the ability to analyze the threat and respond as quickly as possible.

What can you do about it?

1. Educate staff about phishing.
2. Encourage managers to consider what they share on social media.
3. Install an anti-phishing software\extension.
4. Verify requests for money and sensitive information.
5. Have systems in place in case someone takes the bait (2FA).