Computer Security Technology Ltd

+44 (0)20 7621 7836 LinkedInTwitter

+44 (0)20 7621 7836 CSTL LinkedInCSTL Twitter

November 26, 2015

Cyber-criminals target big businesses with ‘whale’ scam

This scam tactic sees the criminal posing as a company boss and sending a spoof message to the finance department, asking for a large supplier payment to be rushed through.

Most people are already wary of phishing, but businesses now find themselves having to defend against a new type of cyber-threat: ‘whaling’.

This scam tactic sees the criminal pretending to be a company boss and sending a spoof message to the finance department, asking for a payment to a supplier to be rushed through while claiming the chief executive, who would normally handle it, is currently out of the office.

Experts have called this trick ‘whaling’ as it involves thieves going after one big sum – the whale – as opposed to phishing, which tends to see criminals targeting lots of smaller amounts; an approach more comparable to line fishing.


The scam may seem a little farfetched but a number of businesses have already fallen victim, with the criminals taking millions of pounds. Among those hit is US tech firm Ubiquiti Networks, which claims to have lost £30 million to whalers.

Security firm Centrify almost followed, with the company’s head of security, Tom Kemp, claiming his company narrowly avoided losing money when a finance director who had been targeted bumped into the manager identified in the initial scam email.

He also said this was just one of many attempts, and that Centrify was at one point being targeted regularly by whaling attacks. Those who carry out the attacks tend to register a domain name as similar as possible to that of the business they’re trying to scam, and then replicating staff email addresses in the hope that employees won’t notice the slight differences.

One cyber-security expert, Bit 9’s Ben Johnson, explained why the risk increases for some firms: “It’s becoming a big problem; especially for small companies that do not have the bodies to look into all the emails,” he said. “The bad guys might only be after $100,000, but for a smaller company that’s a lot of money.”

It’s a new take on an old fraud – that of persuading someone to give something away (rather than having to ripping it from their hands). In this new take; Email is used as the communication method, the target were staff who had payment authorisation authority, and the trick was disguising the request as coming from their Boss.

Along with this type of Big Phishing attack, we have also seen traditional trojan banking malware with a twist. The twist being the methods that the attackers are using to conceal the attack. Here’s an example based on a recent real world incident:

An email is sent to the FD with subject line of ”Invoice Now overdue”, the attachment is a spreadsheet that on its own is harmless, and is not detected as a risk by either the desktop or the gateway Anti-Virus solutions. However embedded within the spreadsheet is a simple nonthreatening macro that links to web sites, the web sites are also real genuine websites, However the websites have unwittingly been compromised themselves. The result is the creation of a link from the FD’s Workstation to the Website using HTTPS to encrypt a download of the real intended malware. In effect, this tunnels the malware through the Business’s Gateway onto the Endpoint. Now the last and only thing stopping the malware executing and gathering the FD’s banking credentials is the Endpoint Security software! In some situations the Endpoint defence has thwarted the attack, unfortunately there been victims where the ploy has succeeded. Here are a few suggestions to reduce the likelihood of such an attack:


Either replace or augment (or enable) existing Anti-Virus software with intrusion detection capabilities, and the use of non-signature based detection technologies.


Ensuring gateway defences can inspect encrypted traffic such as HTTPS.


Remove user privileges that would otherwise allow local execution.


Using macro scrubber at the gateway to cleanse instruction bearing files.


Deploying network-wide ‘file reputation’ checking.


Ensuring staff understand and are aware of the threats and risk of Phishing scams, coach them to be wary of emails bearing attachments or links and adopt a “better to be safe and ask the helpdesk” where they have any uncertainty.


Lastly, with Christmas just around the corner now is a great opportunity for a festive themed staff security awareness refresher; especially as Christmas is seen by Cyber criminals as a great time to increase their attack success.

We have a free simple guide to staff awareness of phishing, email and web security, please email me for a copy: