Security Dealer & Integrator

SEP 2018

Find news and information for the executive corporate security director, CSO, facility manager and assets protection manager on issues of policy, products, incidents, risk management, threat assessments and preparedness.

Issue link:

Contents of this Issue


Page 8 of 84

T his month's article from our newest columnist, attorney Tim Pastore (Legal Brief – page 24) really struck me… CEO/executive impersonation seems as real a threat to both a security busi- ness's customers as well as to the ser- vice provider itself as ransomware or any other cyber vulnerability – per- haps even more so. It turns out, there's a word for the type of email fraud scheme Mr. Pastore describes: Whaling. Where does the term come from? e likely answer is that it is just a bigger and better form of "phishing" – but personally, I like to think the term spawned from the casino/gaming lexicon. As you walk around the casino you are staying at for GSX, if you spot a whale, you are seeing a high- roller gambler – someone with a lot of money to lose. While the etymology is debat- able, either one fits – because as Mr. Pastore writes in Legal Brief, a single well-craed and disguised email can make for a multi-million-dollar score for a criminal and a potentially crip- pling blow to a business. Phishing for Joe the Plumber's credit card num- ber is for amateurs; whaling is now the preferred attack vector of today's enterprising cyber thieves. Kaspersky Labs defines a whaling attack as "a method used by cyber- criminals to masquerade as a senior player at an organization and directly target important individuals at an organization, with the aim of steal- ing money or sensitive information or gaining access to their computer systems for criminal purposes. Also known as CEO fraud, whaling is simi- lar to phishing in that it uses methods such as email and website spoofing to trick a target into performing specific actions, such as revealing sensitive data or transferring money." Frequent SD&I contributor Rob Simopoulos of cybersecurity firm Defendify (formerly Launch Security), recently wrote in his blog: "If an attacker can fool a so-called 'whale,' they could get to the top tier of infor- mation: financial data, employee infor- mation, intellectual property, business plans and more." He adds that "business owners and executives are obviously tempt- ing prey: ey oen have high-level access to financial accounts and sen- sitive business data; and they have the authority to make things happen quickly inside the business, typically a key appeal for cybercriminals." Case in Point: It's Not a Kid's Game One of the more famous whaling attacks happened to toy maker Mattel in 2015. It cost the company $3 mil- lion. ere have been more attacks since (and much more profitable ones for thieves), but the high-profile nature of the attack prompted the InfoSec Institute to write a detailed case study on the particulars of the case: e cybercriminals behind this attack have been hiding in Mattel's computer networks to diligently study the corpora- tion's internal procedures, protocols, cor- porate hierarchy, supplier information, employee personalities, etc…ey waited for the perfect moment, which came when Mattel appointed a new CEO, Christopher Sinclair, in Jan. 2015. e cybercriminals selected a high- level executive as the recipient of this delicate whaling email, using the iden- tity of Christopher Sinclair, and asked the recipient for a joint approval of a $3 million payment to a Chinese supplier of Mattel. According to Mattel's internal money transfer protocol, such a pay- ment would require authorization from two high-level managers. e recipient qualified, and as the request had come from the new CEO, which signified the other authorization, she did not hesitate and pressed the transfer button. Search for "Mattel" at the site to read the full, blow-by-blow report and analysis. You may be surprised to learn how vulnerable Mattel was, and how vulnerable your company or customers may be. As a business owner, it is time to face facts: You are a whale. ■ Editor's Note BY PAUL ROTHMAN Paul Rothman — Editor-in-Chief @SecurityDealer company/16179507 Are you a Whale? It turns out that plain-old phishing is for amateurs

Articles in this issue

Links on this page

Archives of this issue

view archives of Security Dealer & Integrator - SEP 2018