Hacking Humans 5.20.21
Ep 148 | 5.20.21

Whaling attacks are more targeted than phishing or spearphishing.


Kev Breen: When we talk about whaling, we're talking about significantly more targeted attacks than standard phishing or even more targeted than spear-phishing.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We got some good stories to share this week. And later in the show, Kev Breen from Immersive Labs is going to talk to us about addressing whaling attacks. 

Dave Bittner: All right, Joe, before we dig into our stories this week, I had an interesting conversation with actually one of my coworkers... 

Joe Carrigan: OK. 

Dave Bittner: ...Who was talking about password managers and his elderly parents. Now, you and I are both big fans of password managers. 

Joe Carrigan: We are, indeed. 

Dave Bittner: In fact, it's hard to imagine life without them... 

Joe Carrigan: Yeah. 

Dave Bittner: ...At this point (laughter). But my colleague was pointing out that particularly for the elderly, password managers can be troubling or hard to use. As easy to use as they are, they're not bulletproof. 

Joe Carrigan: Correct. I would imagine that's true. 

Dave Bittner: You know, sometimes you go to a website and things don't automatically get filled in the way that you would think they would. Some sites sort of try to thwart the automatic filling in of information. Particularly banking sites try to do that. 

Joe Carrigan: A terrible idea. 

Dave Bittner: Yeah. Well, you can see why they do it. They don't want some malware automatically filling in credentials or something. But... 

Joe Carrigan: Yeah. 

Dave Bittner: ...You'd think they would also coordinate with at least the big-name password managers. 

Joe Carrigan: Right, yeah. 

Dave Bittner: Right? The other thing is there can be confusion with your password manager of what your password manager is doing versus what your browser is trying to do itself. 

Joe Carrigan: Right. The password manager, in a lot of these cases, is a browser plug-in. 

Dave Bittner: Yeah. 

Joe Carrigan: You're looking at the same application. And even me, a technical expert... 

Dave Bittner: (Laughter). 

Joe Carrigan: Sometimes I don't know what's doing what, right? 

Dave Bittner: Right. 

Joe Carrigan: Why is that happening? 

Dave Bittner: Right. 

Joe Carrigan: Is that the browser? Is that the plug-in? I don't know. I could absolutely see where the confusion comes from. 

Dave Bittner: Yeah. And the point is that I think for a lot of people - and, you know, I see lots of people pooh-poohing this, but I think for a lot of people, a little notebook with their passwords written down in it, you know, put in a safe place in their home might be the best solution. 

Joe Carrigan: That is way better than just reusing the same password over and over again. 

Dave Bittner: Right. 

Joe Carrigan: As long as those passwords are good passwords and you're keeping that notebook secure, you're right, you're probably not going to have a problem with that... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Unless somebody breaks into your house. 

Dave Bittner: Right (laughter). Right, exactly. 

Joe Carrigan: But the thing is, most of these cybercriminals aren't going to break into your house. 

Dave Bittner: No. 

Joe Carrigan: They may even never know where you live. 

Dave Bittner: No (laughter). 

Joe Carrigan: Which is why it's OK to do this. I've seen people pooh-poohing this as well. It's not the best security practice, but it is certainly better than reusing the same password over and over again. 

Dave Bittner: Yeah, yeah. It could be very effective. 

Joe Carrigan: Yup. 

Dave Bittner: And unless, you know - yes, there aren't roving bands of bad guys breaking into people's homes to steal their notebooks full of passwords. 

Joe Carrigan: Yes. 

Dave Bittner: Highly unlikely. 

Joe Carrigan: Agreed. 

Dave Bittner: So a good point from my colleague that, you know, sometimes you just got to - you have to be realistic, right? 

Joe Carrigan: Right. You have to understand your risk model - your personal risk model. Think about it. Am I really worried about people breaking into my house? I'm not anybody important. We like to say this a lot, that people should always be aware of the fact that they are targets of value to these malicious actors. 

Dave Bittner: Right. 

Joe Carrigan: But there is a scale along which you fall on that. 

Dave Bittner: Yeah. 

Joe Carrigan: And you should protect yourself accordingly. 

Dave Bittner: Yeah. And not everybody can handle, you know, some of these technical things, things that we take for granted... 

Joe Carrigan: Right. 

Dave Bittner: ...Those of us who have more time under our belts with all this technical stuff. It can just be beguiling... 

Joe Carrigan: Right. 

Dave Bittner: ...For people who aren't used to it. So... 

Joe Carrigan: A notebook would not be a good use case for me... 

Dave Bittner: Yeah. 

Joe Carrigan: ...For one reason because I looked at my password manager yesterday, and there's over 400 entries into it. 

Dave Bittner: Yeah. 

Joe Carrigan: Right? 

Dave Bittner: Yeah. 

Joe Carrigan: That would be very difficult for me to maintain with a notebook. 

Dave Bittner: Right. But you can see that frustration with a password manager could be something that would lead to someone just reusing passwords. 

Joe Carrigan: Absolutely. But don't do that. Write them down in a notebook before you do that. 

Dave Bittner: (Laughter) Right, right. 

Joe Carrigan: It's a profoundly bad idea. 

Dave Bittner: Yeah. All right. Well, let's move on to some stories this week. I'll kick things off. I have a story from the folks at Pradeo, a security company. They did some research. They found a smishing Trojan that is impersonating the Chrome app. This is from their blog. 

Joe Carrigan: Really? 

Dave Bittner: Yeah. So what's happening is folks will get an SMS message on their mobile device, and it'll ask them to pay a custom fee to release a package delivery. And there's a link there. And when they open the link, the first thing they're asked to do is to update their Chrome app. Yeah. And, of course, the update is malware. 

Joe Carrigan: Right. 

Dave Bittner: Then they're asked to pay a small amount, just a couple of bucks, to pay the fee to release the package delivery. This, of course, is also fraudulent. Basically, it's the cybercriminals getting their credit card details. 

Joe Carrigan: Right, and making sure the credit card works. 

Dave Bittner: Yup, yup. 

Joe Carrigan: That's why the small charge. 

Dave Bittner: And once they install this fake Chrome app, it starts sending out SMS messages from the victim's device - more than 2,000 messages per week. 

Joe Carrigan: Really? 

Dave Bittner: Yeah. 

Joe Carrigan: To other people? 

Dave Bittner: To other people. 

Joe Carrigan: Presumably from your contacts to infect them as well. 

Dave Bittner: Well, this says it's to random phone numbers... 

Joe Carrigan: Random phone numbers. 

Dave Bittner: ...That seem to be sequential. Yeah, yeah. And it does it for a couple hours a day, and this is how they propagate the attack. You're infected, and you start spreading the infection. 

Joe Carrigan: Yeah, definitely. It's like a worm, almost. 

Dave Bittner: Yeah, yeah. So the folks here at Pradeo talk about the ways that they're trying to bypass security detection. First off, they're using the victim's phone number to do the SMS phishing, so it's coming from a legitimate phone number. 

Joe Carrigan: Correct. 

Dave Bittner: Right? They use obfuscation techniques, and they call on external code to hide the malicious behaviors, which can help defeat threat detection systems. They have put out a bunch of variations of the app. So basically, when an antivirus starts to catch on that this is a bad thing, they change it just enough that the antiviruses won't detect it anymore. 

Joe Carrigan: Right. 

Dave Bittner: The engines won't detect it anymore. So they go on, you know, to say the best practices are mostly just the type of stuff we talk about to prevent social engineering. Don't provide your credit card details if it's an unknown sender. Go right to the package delivery company with the tracking number rather than clicking through on a link. 

Joe Carrigan: Right. 

Dave Bittner: Right? And also, you should only download apps from the official app stores. 

Joe Carrigan: Agreed. 

Dave Bittner: Google Play and Apple Store on iOS - update them from there. Don't update them from someone who says update from me. (Laughter) Right, right. 

Joe Carrigan: You can trust me. 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: No. No, you can't trust them. 

Dave Bittner: No, you cannot. So, yeah - interesting one, one to look out for. 

Dave Bittner: All right, Joe, what do you have for us this week? 

Joe Carrigan: Dave, my story comes from Help Net Security. It was written by Daria Aleksandrova, who is a senior incident response analyst with Cyren. And her article is titled "Exploiting Common URL Redirection Methods to Create Effective Phishing Attacks." 

Joe Carrigan: And I thought this article was interesting. That's why I brought it in here to talk to the listeners about it. But, you know, when we think about phishing campaigns and all their components, sometimes we think about URL redirection, but we really don't think about URL redirection as top of mind. So this is definitely something we should consider as part of the whole when we're looking at phishing. We definitely always want to consider the way the phishing message is structured, seeing who the phishing message came from, those kind of things. 

Dave Bittner: OK. 

Joe Carrigan: But once the user is enticed into opening something, either clicking on a link or opening a file that's attached, there's other things that happen as well. There's still an opportunity to stop what's going on. And Daria talks about why attackers use these URL redirections, and she talks about the three E's - that it's easy, elusive and evasive. I would add another E. That's effective, right? 

Joe Carrigan: So there are three methods that the article talks about. And the first one, I think, is very interesting. It is an HTML attachment with JavaScript that delays redirection to a phishing site, right? 

Dave Bittner: OK. 

Joe Carrigan: So you get an email, and there's an HTML attachment on it. It says pay the invoice or open this file or something, and you open that file up, and it displays something to you that - could be anything, really. It's an HTML file. So anything you can do in HTML, you can show in this file. 

Dave Bittner: Right. 

Joe Carrigan: But there's also a piece of JavaScript on this page that's included with it... 

Dave Bittner: Yeah. 

Joe Carrigan: ...That has a timer. And when that timer runs out, it redirects you to a phishing site. Now, if you're looking at the browser and you're looking at the URL and the URL is just a link to a file on your computer, your guard is down, right? 

Dave Bittner: Right. 

Joe Carrigan: I'm not connecting to anything. But then the browser refreshes, and you're out at a phishing site, and you don't check the URL again, right? You still think you're on that file or you think something has happened. It - what it does is it changes the timing of looking at that URL if you even do it. 

Dave Bittner: Yeah. 

Joe Carrigan: I thought that was interesting. 

Dave Bittner: That is interesting. 

Joe Carrigan: The next thing she talks about is Adobe open redirects. This is a service that's offered by Adobe, right? It's a redirection service. And basically, you get an Adobe URL, and it points you to anywhere you want to go. 

Dave Bittner: OK. 

Joe Carrigan: It's kind of like the other services we're going to talk about in a minute. The example she talks about is an Adobe attachment that says, your password expires today; either reset your password or - and I thought this was very clever - click here to maintain your current password. Right? And if you click on that link that says, click here to maintain your current password, it takes you to a phishing site that asks you to enter your username and password, right? I thought this was almost insidious in the way it's done, right? I mean, who doesn't want to just keep their current password? 

Dave Bittner: Right. 

Joe Carrigan: You know, that is what 80% to 90% of the users want to do. 

Dave Bittner: Yeah. 

Joe Carrigan: If they see an easy way out, they're going to take that. 

Dave Bittner: Right. I just want to get back to doing whatever I was doing. 

Joe Carrigan: Exactly. 

Dave Bittner: Yeah. 

Joe Carrigan: That doesn't have to do with URL redirection, but I thought that the phishing hook there of, hey, I got an easier way for you to handle this is - I think that's really clever. 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: Bad guys are really good at doing this kind of thing. Normally we tell people, hover over the link, right? 

Dave Bittner: Right. 

Joe Carrigan: And see where it goes. Well, if you do that, it's going to go to an Adobe domain. And when you click on it, bang, you go to the Adobe domain, but that just redirects you to the phishing site. 

Joe Carrigan: And anyone can use this service, which is the third point that Daria talks about in this article - is the link-shortening services, things like Bitly. These are companies that use redirection as a business model. I never would've imagined you could've used something as simple as redirection as a business model, but there are entire companies out there built on this. 

Dave Bittner: Volume, volume, volume. 

Joe Carrigan: Right. 

Dave Bittner: Right. 

Joe Carrigan: These links can point to anything in the world. 

Dave Bittner: Yeah. 

Joe Carrigan: I use Bitly personally all the time. It's a great service. It shortens your link down to just a couple of characters beyond the actual Bitly - bit.ly. It's very effective. But, of course, any of these links can also be malicious. 

Dave Bittner: Right. Now, you know, services like Bitly have the capability where if you're suspicious, you can go to the Bitly website and put in the shortened link, and it will show you what... 

Joe Carrigan: It will show you where it goes, right. 

Dave Bittner: It will show you where it goes without taking you there first. 

Joe Carrigan: Yes. I think you can just put a plus sign at the end of a Bitly link, and that shows you all the information about that link. 

Dave Bittner: I see. I see. So, yeah, it's a good way, you know, if you're suspicious, and you should be... 

Joe Carrigan: Right. You should always be suspicious. 

Dave Bittner: (Laughter) Right, right. Yeah. 

Joe Carrigan: You can never be too paranoid, Dave. 

Dave Bittner: (Laughter) That's exactly what you want me to think, Joe. 

Joe Carrigan: I want you to think for yourself. 

Dave Bittner: OK. All right. Well, interesting information. We'll have a link to this, the report over from Help Net Security. 

Dave Bittner: All right, Joe, it is time to move on to our Catch of the Day. 


Joe Carrigan: Dave, our Catch of the Day comes from a listener named Vaughn (ph), who writes, hi, CyberWire. Sharing a snail mail fraud scheme. This was a first for us that I know of. It arrived via a USPS envelope. The recipient didn't have an existing contract for this company, so they went online to verify and found the very prominently displayed phone number and a W-9 form on their website. As an exchange admin, I have the tools for reporting, notifying and purging phishing emails but no way of knowing who got this. 

Joe Carrigan: So this is actually a letter that he got or somebody at his company got. And, I mean, it's not comical. You know, like, normally we do these that are very funny. 

Dave Bittner: Right. 

Joe Carrigan: But this one is interesting. 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: You open up the letter. It has a letterhead that says it comes from the North Atlantic Supply Company, which may very well be a legitimate company. 

Dave Bittner: Yeah. 

Joe Carrigan: And it has a nice, like, factory logo with a little chemical vial overtop of it. 

Dave Bittner: It's just the kind of logo design you would expect from a company with a creative name like North Atlantic Supply Company. 

Joe Carrigan: Correct. 

Dave Bittner: (Laughter). 

Joe Carrigan: And it is a bill for almost $600. And they're saying it's for concentrated cleaner and degreaser. 

Dave Bittner: Right. 

Joe Carrigan: Plus the shipping charge. Oh, and they gave you $50 off, too. 

Dave Bittner: Oh, that's nice of them. 

Joe Carrigan: There is an age-old way to prevent this. It is called the purchase order number. 

Dave Bittner: Yeah. 

Joe Carrigan: Right? Most companies have an internal system that says, if you just send us a bill, it better have a purchase order number on it or we're never going to pay it. 

Dave Bittner: Right. 

Joe Carrigan: Because that's how we reference our internal servers because this stuff has been happening for a very long time. 

Dave Bittner: Yeah. 

Joe Carrigan: And companies don't want to be defrauded of money, so they have found a way around - or found a way to protect themselves from this. 

Dave Bittner: Right. 

Joe Carrigan: There is no purchase order number on this invoice. 

Dave Bittner: Yeah. I mean, the thing that strikes me about this is that, you know, concentrated cleaner and degreaser is - that could be something that is industrial. 

Joe Carrigan: Right. 

Dave Bittner: That could be just cleaning supplies, you know... 

Joe Carrigan: Yup. 

Dave Bittner: ...For your janitorial staff. So it's very generic. It's very beige. 

Joe Carrigan: Yes. 

Dave Bittner: But then, if you go to the website where they say, our phone number has been updated, and they have a phone number there, first of all, we don't know if this is a legitimate company whose website has either expired or been taken over by someone, or the whole thing could just be made up from nothing. 

Joe Carrigan: Right, right. 

Dave Bittner: But there's a phone number here. And I'm sure if you call this phone number, you're going to get somebody who's going to do their best to convince you that it's a real thing. 

Joe Carrigan: Yeah, I would bet that's the case. 

Dave Bittner: Yeah. What do you do here? I guess you go online and you see if there is a real North Atlantic Supply Company. But in this case, if you did that, you're going to go to this - it's going to take you to this website with the phone number, which is probably a fake phone number. 

Dave Bittner: I guess the bottom line here is just you need to be vigilant. 

Joe Carrigan: Right. 

Dave Bittner: You know, you can't just pay an invoice just because it comes in and, yeah, it's probably the guys down on the shop floor or it's probably the cleaning crew or who knows what? You need some kind of verification. And if you don't have a purchase order number, if something doesn't add up, then slow down. 

Joe Carrigan: Right. 

Dave Bittner: Try to find out... 

Joe Carrigan: Slow down. 

Dave Bittner: Right. 

Joe Carrigan: Follow the process. 

Dave Bittner: Yeah. Did somebody actually order that? 'Cause it might just be an honest mistake. 

Joe Carrigan: Right. 

Dave Bittner: You know, this may be a legit company who accidentally sent an invoice to the wrong people or who knows what? But you don't want to be out 600 bucks... 

Joe Carrigan: Nope. 

Dave Bittner: ...Just because it's easier and faster to just fill out the forms and send off the check, right? 

Joe Carrigan: That's right. 

Dave Bittner: All right. Well, thanks to our listener for sending that in. That is an interesting one. We would love to hear from you, of course. You can send us your Catch of the Day to hackinghumans@thecyberwire.com. 

Dave Bittner: Joe, I recently had the pleasure of speaking with Kev Breen. He is from Immersive Labs. And our conversation focused on this whole notion of whaling attacks. Here's my conversation with Kev Breen. 

Kev Breen: When we talk about whaling, we're talking about significantly more targeted attacks than standard phishing or even more targeted than spear-phishing. And what they're trying to do is they're trying to figure out, like, how susceptible, like, chief executives, like, anybody who's a signatory on financials - so these are kind of their targets. 

Kev Breen: And they usually start off with something innocuous like, can I even get an email reaching to them? So we'll see things like blank emails going through - so emailing theCEO@anemailaddress, so maybe it's firstname.lastname@company. Maybe its firstinitial.lastname. So we'll see blank emails coming through, so no subject lines, like, no body, so nothing really suspicious that's going to set off any kind of alerts if you've got any kind of protective monitoring. And that's literally just there to see if those email addresses are alive, if they're receiving email. So the attackers will be looking for any bounce-backs, any failed deliveries. 

Kev Breen: And then once they've got that list of information, they'll know whether they're successful at sending those emails through. And that's probably a common first stage for somebody who's looking to perform a whaling attack. 

Dave Bittner: And so where does it go from there? 

Kev Breen: From there, again, it depends on the attacker's motivations. So typically, this is financially incentives, but it can also be looking for IP or looking for other kind of information. So depending on what the attacker's aims are, they'll go down one of a few routes. 

Kev Breen: So with more traditional whaling attacks where they're looking to convince to get payment information or to convince payments, they'll usually start just by sending some high-pressure emails. So at this point, they'll have done a lot of research, so they might know who the CEO's PA is. So they might construct an email that looks to be coming from the PA with the correct signatures, email, photos, that kind of stuff. And it will just be something like, we've had an invoice come through, and we need your signature on this. 

Kev Breen: And there'll be a couple of elements to it. So one will be a sense of urgency. So there'll be a time element, trying to put pressure on. So they know they have a very short window with which to try and trick somebody. And then one of the other actions will be something like a call to action. So we've got - this invoice has come in. We need you to go and sign this invoice immediately, or we need you to transfer funds over to this or approve this quickly. And we're going - if we - we're going to lose the contract if you don't. So there's going to be, like, a definitive call to action. There'll be a sense of pressure. 

Kev Breen: And then they may even tie in something like an excuse to why they're not doing this in person. Obviously, we're in a COVID environment at the moment. It's very easy to justify why you aren't doing this in person. But traditional things will be something like, I've just come back from lunch, and this is - I've seen this. Can you do it quickly? So there's a reason why they haven't come and seen you in person just to try and add a sense of legitimacy to it. 

Dave Bittner: And so how do you counteract this sort of thing? How do you prepare your folks to be able to thwart these attempts? 

Kev Breen: This is one of the most difficult things. So more traditional phishing attacks, they use traditional lures, so invoice fraud or things like that. They're kind of easy to spot. Typically speaking, with whaling attacks, they're a lot more targeted. So the attackers have done research, whether that's looking through LinkedIn, looking through documents that you might have published. So they construct something very personal to you or to the executive that they're targeting. So it's a lot harder for more traditional techniques to notice these. 

Kev Breen: So one of the best defenses you can do is going through exercising and making sure your execs understand things like, if you see something, just pause. Like, take a second. Nothing should be that urgent that you've only got seconds to respond. If in doubt, then you want to contact the person not by replying, but by going directly to them. So exercising those kind of techniques and those kind of behaviors will reinforce some of that learning so you'll understand what's going to happen if you ever arrive in that situation. 

Kev Breen: And the second part will be to almost assume that at some point it's going to happen to you. So assume that you get - a CEO, on a very stressful day, gets this email come through. It's very convincing. It's very targeted. And in a moment, they do whatever the email's asked them to do or whatever the phone call has asked them to do. So it's important to understand how you respond to that. 

Kev Breen: Those first minutes and hours of that kind of cyber incident or that incident are going to be the most important if you're going to try and potentially recover any funds before it's gone too far. So exercising not just how you identify these things, but how you respond to them in those first moments is a key piece to protecting yourselves. 

Dave Bittner: When you do tabletop exercises on these sorts of things, do you often witness, you know, people's attitudes changing as they go through the exercise? I guess I'm wondering, do people come in with a high level of confidence that I would never fall victim to this sort of thing, but then over time, they realize, you know, this could happen to anybody? 

Kev Breen: Absolutely. It's very easy to sit on the outside and go, why would anybody ever fall for that? And then as we go through the tabletop exercises, as you show them examples, as you put them in those situations where you've got to make snap decisions and you show them, like, the real world examples, you see, like, that light-switch moment where it dawns and then, actually, that's quite convincing. So it does happen a lot that, like, when you actually sit down, go through these tabletop exercises, you see the impact. You see those kind of things. It does dawn on people how actually easy it will be, which we see in the media as we see these things reported all the time, where companies are being hit by this kind of attack. 

Dave Bittner: Are there any technical things that organizations can put in place to try to help with this? 

Kev Breen: Absolutely, and not necessarily technical like cyber protecting from the emails coming in. There's definitely things you can do there, but more in your process and your procedural technique. So if you are having somebody setting up wire transfers, then make sure that you've got some kind of confirmation route on there, so some kind of known process where if something comes in as a priority payment that's got to be made, you understand where that goes to. So you have a process you track. It's not just somebody entering credit card details into a website. So having those processes in place. 

Kev Breen: And all we're looking for is we're just trying to insert a little bit of a delay so that you can stop, think and check, so before you just rush to action, 'cause that's what a lot of these emails do, is they're - they pressure you into fast responses before you have a chance to think, actually, why would I be sending this payment now? We've only spoke to them twice - or things of that nature. 

Kev Breen: So definitely technical things that you can do - on your email side, maybe looking for blank emails as those first checks are coming through. But definitely someone there - if you're using software, maybe something like Salesforce to do all your stuff. Like, having the correct configuration there is going to help you a lot as well. 

Dave Bittner: I suppose even making people aware that when - if they sense that they're being put in that emotional state of having to act quickly, that that itself is a red flag. 

Kev Breen: Absolutely. And one of the things that organizations can do is to run something like a central spam box. So it's an email address in your organization, so spam@companyname, and you get your users to send emails they think are suspicious there. So it's all very good to run the standard phishing training, like, have people clicked on the link? But what I'm more interested in is how often do people actually report something that looks potentially suspicious? 

Kev Breen: And if you can ingrain that into all of your staff where if you see something suspicious, just send it to us, somebody will look at it - they might not respond to you immediately, but somebody is going to look at it - and you get people comfortable in the reporting so that they'll start to stop and think more about these emails that come in. So they - if they're used to sending stuff to a spam box, they'll see their email and go, actually, yeah, that does look a bit suspicious; let me just fire it off to the security team before I act on it even further. 

Kev Breen: More traditional tabletops - like, you get people in a room. You get them 'round your PowerPoint presentation. They're not the best, especially in the world we find ourselves in. So being able to run something asynchronously, distributed is important. So if you - exercising is absolutely the right thing to do. If the only option you have is a tabletop exercise, then great. But, like, asynchronous, pulling in all of the members, so not just the security teams - your security teams, your PAs, your executives, your finance team - you want a really broad week (ph) so every member of your organization understands what the correct reporting chains are and how to respond should you have an incident. 

Dave Bittner: All right, Joe, what do you think? 

Joe Carrigan: You know, Dave, I love all the terms we have in cybersecurity... 

Dave Bittner: Yeah. 

Joe Carrigan: ...In the tech industry. And we started with phishing, and then it got really focused, and people called it spear-phishing. 

Dave Bittner: Right. 

Joe Carrigan: And then they started going after bigger targets, and people started calling that whaling. 

Dave Bittner: Right (laughter). 

Joe Carrigan: Very nautical. 

Dave Bittner: Right. 

Joe Carrigan: I love it. 

Dave Bittner: Right. 

Joe Carrigan: But whaling is essentially just spear-phishing bigger targets, right? And I like hearing the process that Kev talks about here. They start with just a bunch of blank emails - right? - just to see if they can fingerprint the organization. This is the reconnaissance phase of every attack. This is the first thing that has to happen is they have to go out, and they have to find all of the open ports or, in the case of a phishing attack or a spear-phishing or whaling attack, they're going to actually try to find email addresses. And the way they do that is by probing. 

Dave Bittner: Right. 

Joe Carrigan: The next thing they do is they send a high-pressure message. It's a typical social engineering attack, right? It is in and of itself a social engineering attack. There's an artificial time constraint, a sense of urgency. And they're going to be spoofing their assistant - their administrative assistant or their personal assistant, as they say in the U.K. 

Joe Carrigan: Here's something that's very important to understand about these attacks. The more targeted they are, the harder they are to identify and resist. We've seen this in business email compromise attacks. We've seen this in sophisticated even phone attacks, where people have gotten so good at impersonating other people, impersonating the victims. They've done their homework, and they understand how the victims work and what their process is, and they are really good at exploiting it and finding the triggers for these people. 

Dave Bittner: Right, right. And it's worth it for them to do that work. 

Joe Carrigan: It's worth it because when you're going after somebody who can sign a check for $50,000 or $500,000, that's a pretty big incentive. 

Dave Bittner: Yeah. 

Joe Carrigan: And we've seen these attacks where they've cost companies and organizations millions of dollars in fraudulent payments. 

Dave Bittner: Yeah. 

Joe Carrigan: Training and exercise is, I think, the only way to prevent this - I mean, from a personal standpoint. There are all kinds of technical things you can put on to protect the people from ever getting it. But some of these messages are going to get through those technical barriers, especially once they've started probing your email account - right? - or your email domain 'cause they are not going to send you the actual phishing email or the whaling email from the same address they use to probe. So even if you block the probing address, that first kinetic email that's coming in is going to be from a new address. You're going to have never seen it before, and it's going to look completely legit and will probably - and it'll be handcrafted. It will be handwritten. It won't be some massive emailing so you can identify, hey, look at all these emails we're getting with the exact same content. This is obviously either spam or a phishing attempt. This is going to be one email that comes in, like a harpoon - right? - to get the whale. 

Dave Bittner: Right. 

Joe Carrigan: And it's going to be very difficult to identify as a scam email. 

Dave Bittner: Yeah. 

Joe Carrigan: I do like what Kev says about making the technical solution designing your process and procedure to introduce delays and to give you time to stop and think about it. I also like introducing delays based on communication. In other words, I've gotten this email that demands that I pay some invoice; I have to make a phone call to the person who sent me this email and validate it. 

Dave Bittner: And, you know, we've talked about how it's common for organizations, if you have above a certain dollar amount, that there has to be two signatures on a check. 

Joe Carrigan: Right. 

Dave Bittner: Perhaps a similar thing could be that if it's above a certain dollar amount, a phone call has to go to the person who sent the invoice just as verification. 

Joe Carrigan: Right. 

Dave Bittner: You don't want to slow down your accounts payable people. You don't want to - I can see it has to be a balance, you know? 

Joe Carrigan: Yes, it does have to be a balance. 

Dave Bittner: Yeah. 

Joe Carrigan: Again, we're talking about managing your risk level. 

Dave Bittner: Right. But everybody needs to be a part of the security side of things. 

Joe Carrigan: Correct. 

Dave Bittner: Yeah. 

Dave Bittner: All right. Well, again, our thanks to Kev Breen for joining us. We do appreciate him taking the time. 

Dave Bittner: That is our show. We want to thank all of you for listening. We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.