
“Whaling” emerges as cybersecurity threat - Oatseller
http://www.cio.com/article/3059621/security/whaling-emerges-as-major-cybersecurity-threat.html
======
markbnj
>> Wessland says such attacks are impossible to pick up with basic spam-
filtering technologies, noting that hackers will simply keep creating new fake
domains from which to send their targeted messages.

Haha, yes that's true: we still do not have the universal fraud detector and
stupidity prevention algorithm. Seriously, this is not a system security
problem. If you have high-level employees in the finance dept. of your company
that will initiate a wire transfer on the basis of an unsigned, unencrypted
email from an un-trusted domain, that is a policy/standards/personnel issue.

~~~
superuser2
Does _any_ large company have any form of email encryption deployed? I'm
pretty sure Serious Business is steadfast in laughing off GPG.

~~~
markbnj
Probably not many, but simply acting on the authorization of any email, not to
mention one that is not from the CEO's corporate account is astoundingly
credulous behavior. It shouldn't actually _be_ astounding, I suppose, given
the number of people who fall for online scams, but we're talking about people
within a corporation who have the authority to move large amounts of money
between accounts. So yeah, still astounding to me :).

~~~
superuser2
The scammer just forges the FROM header, so it would appear to be from a
corporate account.

------
ams6110
Any C level person should at least be [GP]PG or S/MIME signing all their
email, if not fully encrypting it. Email impersonation is just too easy.

~~~
trhway
>Any C level person should at least be [GP]PG or S/MIME signing all their
email, if not fully encrypting it. Email impersonation is just too easy.

i wonder what security policies and practices were followed by one well-known
Secretary of State Department of a largest nuclear superpower ...

~~~
superuser2
On a totally segregated classified messaging system. Who knows if it's
protected by more than obscurity, but it's definitely protected by obscurity.

Government officials commonly have 2 computers and 2 phones, one classified
and one unclassified.

Hilary is alleged to have handled a little bit of classified information
through her unclassified system, but it's not like she was routinely moving
state secrets through civilian email.

------
basicplus2
If this is happening then internal audit procedures are non existent as any
significant finance decisions should involve a minimum of two people to
authorise transactions to minimise fraud in the first place.

This falls under business basics.

------
williamscales
That's embarrassing. Isn't it the CFO's job to use his or her discretionary
judgment when approving transfers? I think we need to fix business cultures
rather than build tools to think for us...

------
herge
We've had a spate of fake emails between our CFO and CEO in our company.

Seeing as we use google apps for our email, it would be really nice if google
could warn in their interface that this email may have the CFO's address, but
it did not come from internal mail...

~~~
tyingq
I believe if you publish a DMARC policy for your domain, to reject
unauthenticated email from your domain, then the forged emails wouldn't ever
land in the inbox.

[https://support.google.com/mail/answer/2451690](https://support.google.com/mail/answer/2451690)

[https://support.google.com/a/answer/2466580](https://support.google.com/a/answer/2466580)

~~~
upofadown
DMARC is a message to other entities about what you want them to do in case
DKIM/SPF fails. In this case that wouldn't help as the problem is with your
entity. So you would just have to reject things that fail your DKIM (or more
practically, add a warning to the subject line).

~~~
tyingq
In this case, the parent is using Google Apps, and is receiving forged outside
emails "from" their own domain, to recipients within that domain.

The way to tell Google apps "don't accept outside forged emails from my
domain" is a DMARC policy, combined with the pre-reqs for that. Google apps
happily puts forged emails (from your own domain) into your inbox if you
don't.

>>DMARC is a message to other entities about what you want them to do in case
DKIM/SPF fails

Yes, but it also drives what your hosted Gapps/Gmail instance does with
incoming forged email for your own domain.

Google could provide a toggle or functionality to say what to do with failed
DKIM and/or SPF more generally, for all domains...but they don't. I can tell
you for sure that messages with failures for both regularly land in the inbox
within my Google Apps Gmail.

------
jonah
From the title I thought this was going to be about foreign SIGINT ships
disguised as whaling vessels trolling off the coast.

