Public sector leaders harpooned by 'whalers'

As one of the 21.5 million US government employees whose personal details were compromised in last year’s massive breach of the Office of Personnel Management (OPM), Chris Pogue knows — and has written about — just how vulnerable personally identifiable information (PII) is online these days.

Yet even as the repercussions of the OPM breach continue to plague those affected, Pogue said, an equally ominous threat against government agencies is continuing to grow as high-level public servants are increasingly targeted with ‘whaling’ attacks designed to trick them into wiring money under false pretences.

The high level of privileged information access common across government agencies makes them particularly likely targets by the purveyors of whaling attacks, said Pogue — a 13-year US Army veteran who now works as senior vice president of the Cyber Threat Analysis team within security-analytics company Nuix.

“When you talk about the data of public servants and elected officials,” he explained, “you are really looking at a unique subset of the threat landscape in that this sort of data has some pretty unique characteristics.

“These people have access to a tremendous amount of information that’s not necessarily disclosed to the public. One only needs to be a little bit creative to think about the kinds of things you could do with this information.”

That information includes not only PII about citizens and their dealings with government, but commercially relevant inside information such as details of negotiations, eyes-only internal memoranda or documents related to often sizeable government contracts that private bidders would love to get their hands on.

“Data is of tremendous value,” Pogue said. “It’s the new oil — so you have to really anticipate that these criminals want to go after the data, disrupt that process and manipulate it. Government agencies retaining that data need to understand that there is tremendous value for that data on the black market, and that attackers want it — so they will actively pursue it. It’s literally anything, anywhere.”

A rising tide of whaling attacks has seen cybercriminals target those with access to such information by using publicly available information — or data that has been stolen from the target company — to write uncannily accurate emails designed to trick CFOs, accounts payable teams or other executives with payment responsibilities into wiring money or emailing sensitive files that inevitably disappear from sight.

Recent figures from the US Federal Bureau of Investigation (FBI) hinted at the magnitude of the whaling problem — also known as ‘CEO spoofing’ — with some 17,642 victim complaints received over the last 2.5 years, some US$2.3 billion (AU$3 billion) in losses recorded over that time.

The FBI also noted a 270% increase in both the number of victims and the size of their losses since January 2015, with average losses per scam in one US state averaging between US$25,000 (AU$32,750) and US$75,000 (AU$98,000).

“There are really massive, tangible amounts of money changing hands on the back of this,” said Ben Adamson, APAC technology lead with email management vendor Mimecast, which recently released a tool called Impersonation Protect that is designed to fight whaling and other targeted attacks buried in cleverly crafted emails.

“Once it happens it’s nearly impossible to get it back because of the number of countries involved and the mobility of the perpetrators. It’s not that you can transfer this money back, because you’ve made the transfer and it is a legitimate transfer.”

Adamson cited a customer survey that found 72% of attackers had pretended to be the CEO while 35% had imitated the CFO; in both cases, employees were targeted that have regular engagement with C-suite executives. Whalers would often pretend to be using executives’ personal Gmail accounts (used in 25% of cases) with Yahoo and Hotmail each comprising 8% of targeted attacks.

Many scammers were not only using publicly available information to craft their emails, but were monitoring social media for signs that an executive might, for example, be on a long flight and uncontactable to verify the veracity of a transfer instruction emailed during that time.

Scammers “understand that person is absolutely not going to be able to intervene in that time, and you see the pressure stepped up to complete the transaction quickly”, said Adamson. “Most people have seen this in some incarnation.”

The whaling problem in Australia is escalating commensurately and Symantec’s recently released Internet Security Threat Report 2016 (ISTR) qualified the depredations of online whalers in terms that will be frightening for public sector IT strategists at all levels.

Australia was the second most-targeted country in the APAC region and fourth most-targeted country globally in terms of targeted whaling, spear phishing and other attacks; second regionally and seventh globally in terms of social media scams; and the most targeted APAC country by perpetrators of ransomware attacks.

Email attacks have become far more frequent — 408 campaigns were recorded in 2012 and 1305 campaigns observed in 2015 — but far more targeted as well. Whereas the average campaign in 2012 targeted 122 different email addresses, by last year this had decreased to just 12.

Symantec recorded nine ‘mega breaches’ last year — those with more than 10 million identities exposed — as opposed to just four in 2014. Social services organisations were by far and away the most severely affected, with six incidents compromising some 191 million digital identities — twice that of second-place insurance carriers.

Public sector organisations — where transparency practices often see detailed organisational charts published — are like a road map for scammers, Adamson added. This translates to increased risk in the public sector: “When you have a high-profile organisation where the structure is very well known, it means you’ll have a much more well-designed attack where it’s got a much higher likelihood of success based on someone having a lot of knowledge about the stakeholders.”

The ISTR left little question that public sector data is exposed, and if current trends continue — and all signs suggest that they will — things will get worse before they get better.

Yet there are signs that growing education about whaling, combined with appropriate tools, may be paying off. Early feedback from corporate users of Impersonation Protect — which came out of beta just weeks ago — suggests that “they are absolutely seeing messages starting to be tagged and they’re exactly the kind of messages they would want tagged”, Adamson said. “This is exactly what we would hope for.”

Image courtesy of Jose Antonio Navas under CC-BY-2.0