In our past series, “Threat! What Threats?” we covered the topic of phishing in a generic way, but today we are taking a closer look at a more targeted type of phishing that poses significant risks to enterprises: Whaling. We will specify the differences between a whaling phishing attack and other types of phishing attacks and showcase how Clear NDR is equipped to detect it.

Understanding Whaling Phishing

Whaling phishing, a more specific type of spear phishing or Business Email Compromise (BEC), is a deceptive cyber-attack that specifically targets high-ranking executives or decision-makers within a company. Attackers invest time and effort in researching their targets to create highly convincing and tailored phishing emails, making it challenging for victims to discern the authenticity of the communication.

The Anatomy of a Whaling Phishing Attack

1. 1. Social Engineering: Whaling attacks often begin with social engineering tactics. Attackers mine publicly available information and social media profiles of key executives to understand their roles, responsibilities, and communication patterns.
2. 2. Crafting the Lure: Armed with information, cybercriminals design personalized emails that may seem legitimate, usually imitating the CEO or another top executive. The content might involve pressing matters, confidential information, or urgent financial transactions to provoke immediate responses from the targets.
3. 3. Urgency and Fear Tactics: Whaling attacks frequently play on emotions like fear or urgency to cloud the recipient's judgment. By creating a sense of urgency or fear of repercussions, attackers manipulate victims into making quick decisions without carefully verifying the request.
4. 4. Spoofed Identities: Attackers often use email spoofing techniques to make the email appear as though it's coming from a legitimate source. The email address may be slightly altered or misleadingly similar to the genuine one.
5.  

The Impact of Whaling Phishing

Falling victim to a whaling phishing attack can have severe consequences for an organization, including but not limited to:

• Financial Losses: Attackers may convince victims to transfer funds to fraudulent accounts, causing substantial financial harm to the business.
• Reputational Damage: Successful whaling attacks tarnish the reputation of the targeted organization, eroding trust among customers, partners, and stakeholders.
• Data Breaches: In some cases, whaling attacks may lead to the exposure of sensitive company information or intellectual property.
• Regulatory Non-Compliance: Whaling attacks can result in non-compliance with data protection regulations, inviting legal and financial penalties.

Protecting Your Organization Against Whaling Phishing 

Clear NDR currently covers 13 different types of known phishing attacks, using 767 detection methods to spot them. When one of these threats is detected, Clear NDR issues a Declaration of Compromise™ (DoC), a high-confidence and high-priority security event signaling a “serious and imminent” threat on an asset.

These DoC events include important contextual information on the specific threat as well as a detailed attack timeline. Clear NDR users can easily identify what the threat is, see a record of its activity, explore more information about the asset it is impacting, and view resources from third-party threat intelligence. Additionally, Clear NDR includes a feature for Homoglyph detection. Homoglyphs are used to disguise malicious domains, often by using characters from other alphabets.

Clear NDR has advanced algorithms for unicode decoding to compare traffic to a list of commonly spoofed domains. When traffic moves through the network, the homoglyph detection logic checks the domain-related fields against these lists and raises an alert if the observed domain falls below a similarity threshold.

While security teams can enjoy the benefits of automated threat detection provided by Clear NDR, many organizations choose to incorporate more proactive threat hunting in their defenses. In this case, the security analyst actively hunts for specific threats or scenarios that could be present on their network.

Clear NDR’s guided threat hunting interface includes numerous predefined filters that allow the analyst to search for specific activities often related to whaling, like homoglyph use, executable images, suspicious URLS, specific TTPs identified in the MITRE ATT&CK framework, and more.

Stamus Networks recently introduced several new threat intelligence feeds focused on newly-registered domains (NRDs) that can also help detect potential phishing activities. These NRDs could be used to spoof legitimate domains, or otherwise be used for command and control (C2) communication. To learn more about incorporating the new NRD threat intelligence into your Clear NDR workflow, visit this blog post.

Further Reading 

To learn more about phishing, visit our blog post titled “Threats! What Threats? Detecting Phishing with Clear NDR”. You can also see a detailed example of how to use Clear NDR to hunt for phishing activities in the blog post “Hunting for Phishing Activity with Clear NDR”.

To stay updated with new blog posts from Stamus Networks, make sure to subscribe to the Stamus Networks blog, follow us on Twitter, LinkedIn, and Facebook, or join our Discord.