Watch Your Head: The Growing Risk of Top-Down Cyber Attacks

By Tal Zamir, CTO, Perception Point

Enterprise phishing attacks generally start with run-of-the-mill emails believed to come from a trusted source. An employee clicks on an outwardly innocuous link and unwittingly shares sensitive data or responds to seemingly unremarkable requests from someone posing as a company executive – and the consequences can be catastrophic.

These phishing expeditions are not only targeting enterprises more frequently, they’re also more sophisticated and are usually just the beginning of a multi-layered attack. The clear message is that enterprises must deploy advanced email security services that can detect, intercept, and report any and every malicious email, link, attachment or specific text sequence. But what about the VIPs? According to recent reports, it can be easier to target organization leaders than their employees. They suggest executives are four times more likely to be victims of phishing than their employees – and yet, the emphasis has always been on training staff to be vigilant, rather than their managers.

Phishing is a general term that covers a whole range of cybercrimes. Spearphishing describes more targeted attacks aimed at people in a particular company. And whaling is even more targeted: It refers to a cyber-attack on an individual executive, who is likely to have access to the highest-level information.

How Does it Happen and Why is It Easier to Target VIPs?

Consider the following:

Nearly one in four executives use easy-to-remember birthdays in their passwords and will probably re-use those passwords again and again. They’re also five times more likely to share their password with people outside the company. The increasing use of social media and LinkedIn to promote the “CEO brand” makes it extremely easy for anyone to identify C-Suite members and find their personal information online.

In addition, spoofing and cloning methods are becoming increasingly sophisticated. Spoofing is when threat actors pose as legitimate users, while cloning is when they email a genuine message and attachments, pretending to be the original sender. These messages credibly mimic real correspondence, making attacks much harder to detect. With the increasing availability of generative AI technologies such as ChatGPT, it has become easier than ever to create convincing messages.

Spearphishing and whaling attacks generally target CFOs or others who deal directly with payments because that way fewer layers of confirmation are needed to access easy money transfers. CISOs and IT managers are also common targets, because they have broad access across their organization and their email addresses carry the authority to retrieve valuable data. It’s easier to trick one person at the top than to trick several along the chain of command.

Threat actors exploit our human desire to be helpful and respond positively to somebody we know and trust – or think we know and trust. And for such attacks, hackers will expend the time and effort to thoroughly understand their target, bide their time, and strike at the most opportune moment.

Here at Perception Point, we recently saw a textbook example of whaling against one of our clients, a US-based food and beverage distributor.

The attacker first targeted one of the distributor’s local vending partners, which, like so many SMBs, hadn’t invested in the most effective security measures. There was minimal security to bypass, so the hacker infiltrated the email account of the distributor’s contact at the local vendor and lay in wait, watching emails go back and forth….

The attacker’s moment finally came when the vendor reached out to the distributor’s CFO with an invoice for payment of over $200K. That’s when the threat actor struck. They hijacked the thread, asking to switch details so that the money transfer would go to them, rather than the actual vendor. This is known as BEC (Business Email Compromise), or VEC (Vendor Email Compromise), where the attacker uses social engineering techniques, and there is no malicious payload in the email.

A spoofed website domain was created a short while earlier where the threat actors switched two letters in the domain name to the fake rather than the vendor’s genuine This allowed them to hijack the thread without the actual owner of the email account to see the new email conversation.

The plan was thwarted, however, because Perception Point’s technology detected the malicious email and quarantined it before it ever reached the CFO’s inbox. However, because the threat actor had hijacked an existing thread about an actual upcoming payment, and created such a convincing spoofed domain, the CFO insisted that the message was legitimate, and requested that it be released from quarantine. The CFO was rightly concerned for the integrity of customer relations and wanted to give their vendor the benefit of doubt. It is concerns such as these that an effective phisher-man preys on.

Ultimately the US-based distributor was saved from making the errant $200K transfer because the Perception Point Incident Response service intervened when the release was requested.

What’s striking about this example is how easily the threat actors were able to leverage the distributor’s wider supply chain – i.e., the smaller vendor – to access the CFO of the much bigger operation. By researching the wider network and relationships of any enterprise – however large and well-protected – hackers can pinpoint and exploit the weak links.

What Can Be Done About It?

As email based attacks become more creative and complex, standard security solutions are becoming increasingly obsolete. It only takes one successful malicious email – BEC, phishing or malware, to ultimately send shockwaves through larger enterprises and potentially dismantle the smaller ones.

Here’s how enterprises can avoid this fate.

Many executives feel untouchable, even though, as we’ve seen, they are in many cases the primary target. They’re also more likely to use personal devices for work-related activities.

Everyone in an organization – including executives – must be properly educated and abide by the security guidelines of the company. If all employees use standardized tools with the proper security measures in place, an enterprise security team can reduce the likelihood of a breach. These are the responsibilities of CISOs.

At the same time, CISOs must make sure they’re able to prevent even the most advanced threats, before they reach the users – especially the executive. For email specifically, many advanced threats still bypass the security systems provided by Microsoft and Google, and it is imperative to augment their native security with advanced solutions that can efficiently detect and intercept all email threat types from spam, phishing, BEC, ATO and malware to APTs and zero-days.

Today’s modern threat detection systems can run under other email security systems (like Microsoft EOPand Defender) and employ multiple advanced and novel detection engines that utilize AI and ML algorithms such as NLP (Natural Language Processing), OCR (Optical Character Recognition), and image recognition to identify impersonation techniques, advanced phishing sites, attacks, and even spam. They are able to overcome the attacker’s evasion techniques by unpacking every embedded file and link within an email and statically and dynamically scan every single component in near real-time. Next-gen sandboxing technology allows for near real-time dynamic scanning of 100% of content because it targets attacks at the exploit stage, before the malware is released – dramatically improving detection, speed, and scale versus traditional sandbox and CDR solutions.

Security leaders should also look for solutions that leverage correlated data from web browser security and email security to improve detection, provide evidence for analysis and accelerate remediation.

No system is 100% impenetrable, and responding rapidly to an incident can prevent and/or greatly reduce the level of damage to the organization. Over the past few years, it has become clear that SOC teams are understaffed, overwhelmed and having difficulty in handling the growing number of incidents. Security leaders should be increasingly looking for vendors that include managed incident response services as a part of their solutions. This service will offload reporting, analysis, management and remediation of incidents from the SOC team. If the service is supported by robust ML and AI-supported technology, as well as experienced analysts, the solution will even be able to handle new threats with updated algorithms created on the fly.

Call Me Phish-mail

Spearphishing, whaling and BEC attacks are often time-consuming and complicated endeavors for hackers. They require long-term research, a keen understanding of an organization, and an eye for detail. But it is their attention to detail that can make them so successful. As with all types of cyberattacks, they will become even more sophisticated in the coming years.

Enterprises simply can’t afford to be complacent. There is no alternative to building defenses that will keep them safe from the digital harpoon.

Tal Zamir – Chief Technology Officer at Perception Point. Previously the Founder & CTO of Hysolate, Tal Zamir is a 20-year software industry leader with a track record of solving urgent business challenges by reimagining how technology works. He has pioneered multiple breakthrough cybersecurity and virtualization products. Tal incubated next-gen end-user computing products while in the CTO office at VMware. Tal began his career in an elite IDF technology unit. He holds multiple US patents as well as an M.Sc in Computer Science from the Technion.


Follow Brilliance Security Magazine on Twitter and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information.