Move over Phishing, here comes Whaling

There are many articles available advising on IT Security best practice for business. You might even have read some. But sometimes it takes first hand experience to bring home how vulnerable you might be.

We recently witnessed at first hand just how sneaky online fraudsters can be. We put this article together to share with you an hourly account of a real life security incident to show how the hackers did it and what they got away with. If you are forwarned, you might better understand the nature of these cyber crime attacks and be in a position to take steps to prevent it from happening to your business.

Highly targeted attacks such as the one described here are on the increase and have been dubbed “whaling” because they target “one big fish” as opposed to phishing, which tends to be aimed at lots of smaller fry.

April 30 10:39am

An email with subject “Document!” arrived from a known, trusted sender. The body says:

I have shared a file with you via Dropbox App.
Find it below for your quick review and perusal.

Click Dropbox to download shared document.

Thank you.

April 30 11:42am

The sender was trusted so the Dropbox link was clicked. The web page that appeared looked just like the real Dropbox site, except it wasn’t. There was also no https lock icon in the browser bar, but this wasn’t picked up on. Valid dropbox username and password credentials were entered. A fake error message was given explaining that the file failed to download. A few more attempts to login were made with different password combinations – each time, the fake error explaining the file failed to download was given.

The real purpose of the fake dropbox site was to harvest user credentials to see if they could be used to login to the email account. This time the hackers struck gold; one of the credentials entered was for the email account that the original email was sent to.

April 30 8:01pm

The credentials entered earlier were used to illegally access the email account. We later traced the source of this to an IP address in Nigeria. For the next few hours this same IP was used to access the account a number of times. The hackers were carefully reading email. Once hackers had access to email they can control and reset the password for all your other online accounts. In this case the hackers found an email thread about an awaiting bank transfer.

May 2 7:14am

The hackers sent an email with their bank details to the payer as “updated bank details”.

May 2 10:21am

The payer deposited nearly £10,000 into the hackers bank account, believing it to be the correct updated details for a valid transaction. There was no visible evidence of any fraudulent activity regarding the updated bank details.

May 2 11:31am

The hackers began to cover their tracks. They deleted all sent email for the past two years along with all the contacts in the users mail account.

May 2 9:17pm

The compromised email account was used to send the same original scam email to all contacts. Rules were put in place that automatically responded to any reply about the scam email from the contacts that were emailed, to confirm that the file is legitimate and the users can proceed to open it. Another rule deleted any mail to and from the parties concerned with the bank transfer thus preventing any further communication about the payment via email and delaying the discovery of the compromised mail account and the payment made in error.

May 3 9:39am

The legitimate owner of the email account noticed the missing contacts and called us. We established that suspicious activity had taken place when we noticed that sent emails were missing too. We began recovering and securing the account.

Recovery steps

1. The email account password was changed immediately.
2. The computer was comprehensively scanned for any malware.
3. The password to all online accounts were reset (bank/ amazon/ebay/dropbox/…)
4. The rules that were setup by the hackers were deleted.
5. All passwords were made more complex and stored in a password vault with a complex master password. This made it easier to have more complex and varied passwords without worrying about remembering them all.
6. Additional security options on the email service were turned on; 2 Factor authentication for new devices and alerts of any suspicious activity are turned on.
7. We recovered the deleted email and contacts from backups.
8. We then monitored email logs for the next week for any signs of further suspicious activity.

We are still waiting to hear if the money has been recovered. Other similar reports in the media have been reported here: