In June of this year, I received a call from a client: “Our email has been hacked!” they claimed. “Someone is sending out email from the CEO’s mailbox, requesting that our accountant transfer funds oversees!”
They forwarded to me the email that the accountant received. Sure enough, it looked like it came from the CEO; it had a signature block with his name – including middle initial – title, and the name of their company – not things that a mass-spammer would know or take the time to craft.
Assuming the worst, I looked through the mail system’s logs for evidence of that email leaving from the server and found none.
(Techy stuff: We’re also blocking all outbound mail from every device but the mail server so at this point I was pretty sure that his email had not been compromised. Furthermore, their mail system checks SPF records on incoming mail. Without this check, it’s quite easy for a spammer to send mail masquerading as a domain that the spammer doesn’t own. If it weren’t for the detailed and accurate information in the signature block, I could have written this off as a garden variety phishing attempt.)
But that signature block…
And, how’d they know who my client’s accountant is?
And, how did they email from my client’s domain despite SPF checking…
To protect my client’s anonymity, let’s say that my client’s domain is acmeconsultants.com. The hacker bought acmeconsulltants.com.
Did you catch it? He or she doubled-up on one letter in the domain name.
(Techy stuff: as soon as I discovered the hacker’s domain, I did a WHOIS on it and found that he had already deleted it from the Internet.)
With the similar domain name in hand, he created an email address in the CEO’s name, created a signature block for that whiff of authenticity, then sent an email to the accountant requesting that she transfer $19k to a bank in the UK.
It just so happened that my client was expecting such a request to transfer funds. What a coincident, right? It’s not, as we’ll see.
Fortunately, the accountant did two smart things:
- She forwarded the email to their bank contact asking them to verify the transfer request
- She texted the CEO for his corroboration
If she had just responded to the email, it would have gone right back to the hacker, email@example.com. The hacker would have replied, “Yup, that’s me. All good. Please proceed.”
Months later, this was still in the back of my mind when I stumbled upon this article: http://www.cio.com/article/3059621/security/whaling-emerges-as-major-cybersecurity-threat.html
That’s exactly what happened to my client. And now we have a name for it: whaling.
The lesson here is when you want to verify something you received by email, call or text the person who ostensibly sent you the mail. Don’t reply.