Whaling phishing or how social engineering works

When it comes to IT security, most people imagine that they will be protected by a sophisticated password or antivirus system. In the work environment, they would probably add that their security is taken care of by IT administrators. Yet even if we have the most effective security solutions, largest walls and thickest doors, that will not be enough to protect us if we willingly open them and hand over the keys.

Based on the concept of security testing, social engineering involves manipulating people’s psychology to get them to divulge confidential information or carry out unlawful activities.

Example:

One day you receive an email from a colleague or your manager asking you to fill in a form, and you do it without thinking about it. Everything seems fine – after all, you trust the person who sent you the email. After a short while, when you have already forgotten about the email and the form, you are called into a meeting by the IT administrators and company manager, who ask you to explain why data is being transferred from your computer to somewhere outside Lithuania.

It may not too bad if that happens after just a couple of days, but global statistics indicate that it usually takes about half a year to detect a breach.

This example is an illustration of spear phishing, whereby the attacker sends emails to certain individuals masquerading as a person they know very well or consider an authority.

Another type of phishing attack is called whaling. These attacks target high-ranking individuals – namely, senior executives at companies or branches. Creating such attacks is resource-intensive, but they can pay off tenfold and make it possible to steal large amounts of money.

This is what a social-engineering attack against your company might look like:

1. Information is gathered on the target
   First, the attacker looks for publicly available information on the company he or she is targeting via sources such as the firm’s website and searching on Google. They may also make fake calls to the company pretending to be a client or partner to get additional information. If possible, the hacker might try and look around the company’s premises and assess its security systems. They may even search for confidential information in bins
   
2. Potential victims are sought
   The attacker finds company employees via social media sources such as LinkedIn and Facebook. A list of emails is created from the addresses of several employees.
   
3. A spear phishing attack is launched
   Targeted employees at the company receive a special email containing infected documents or a request to open a link in the email and/or enter confidential data. The attacker then waits until an employee falls for the bait and transfers the data.
   
4. The attacker exploits the results
   Pretending to be a company employee, the attacker logs in to the firm’s system and, having full access, takes the confidential data.
   
5. The attacker covers their tracks
   After concluding his or her activity, the person deletes all traces of having logged in to the system.

Social engineering attacks occur on a daily basis. One real-life example is a case in which an individual forged a secret service certificate and an employee certificate, took cars from different municipalities and went for a joyride. A key aspect of this is that the person found the certificates on the internet, then made some edits and printed it. Although this was criminal behaviour, the people who gave the impersonator keys to the cars failed to do their jobs.

In another incident, a Lithuanian citizen managed to swindle companies such as Google and Facebook out of $100 million by sending fake invoices. He established a company in Latvia with a similar name to that of the companies from which the IT giants had purchased services previously. No one realised it was an issue that for three years the money was being transferred to Latvian and Cypriot bank accounts.

The problem is that there are no technological solutions to fully protect yourself from social engineering attacks. However, there are ways to reduce the risk:

• When you receive an email, do not immediately send or open any attached documents or click on any links.
• Assess the email’s content and structure, checking for details such as whether it contains any grammar, style or logical errors, and whether it has signatures.
• Make sure that the sender’s email address looks legitimate and check which other people are on the list of recipients.
• Hover your cursor over the links in the email and you will see the real links behind them – compare those to the ones that actually appear in the email.
• If the email still looks suspicious, contact the sender via different channels, such as by calling them.

The following steps help to reduce risk at a company level:

• An information disclosure policy and filtering of outgoing information.
• Guidelines for internal procedures relating to the accessibility and use of information.
• Installation of two-factor authentication.
• Regular IT security training for employees.
• Regular testing of IT security systems.

Social engineering and methods for protecting yourself or your business can be discussed in further detail, so if you have any questions or want advice, please contact us at info@ba.lt