Hacker News new | past | comments | ask | show | jobs | submit login
“Whaling” emerges as cybersecurity threat (cio.com)
30 points by Oatseller on April 23, 2016 | hide | past | favorite | 17 comments



>> Wessland says such attacks are impossible to pick up with basic spam-filtering technologies, noting that hackers will simply keep creating new fake domains from which to send their targeted messages.

Haha, yes that's true: we still do not have the universal fraud detector and stupidity prevention algorithm. Seriously, this is not a system security problem. If you have high-level employees in the finance dept. of your company that will initiate a wire transfer on the basis of an unsigned, unencrypted email from an un-trusted domain, that is a policy/standards/personnel issue.


Does any large company have any form of email encryption deployed? I'm pretty sure Serious Business is steadfast in laughing off GPG.


Probably not many, but simply acting on the authorization of any email, not to mention one that is not from the CEO's corporate account is astoundingly credulous behavior. It shouldn't actually _be_ astounding, I suppose, given the number of people who fall for online scams, but we're talking about people within a corporation who have the authority to move large amounts of money between accounts. So yeah, still astounding to me :).


The scammer just forges the FROM header, so it would appear to be from a corporate account.


Any C level person should at least be [GP]PG or S/MIME signing all their email, if not fully encrypting it. Email impersonation is just too easy.


>Any C level person should at least be [GP]PG or S/MIME signing all their email, if not fully encrypting it. Email impersonation is just too easy.

i wonder what security policies and practices were followed by one well-known Secretary of State Department of a largest nuclear superpower ...


On a totally segregated classified messaging system. Who knows if it's protected by more than obscurity, but it's definitely protected by obscurity.

Government officials commonly have 2 computers and 2 phones, one classified and one unclassified.

Hilary is alleged to have handled a little bit of classified information through her unclassified system, but it's not like she was routinely moving state secrets through civilian email.


Worse yet they are typical behind Microsoft Exchange and I believe it does not support DKIM out of the box.


If this is happening then internal audit procedures are non existent as any significant finance decisions should involve a minimum of two people to authorise transactions to minimise fraud in the first place.

This falls under business basics.


That's embarrassing. Isn't it the CFO's job to use his or her discretionary judgment when approving transfers? I think we need to fix business cultures rather than build tools to think for us...


We've had a spate of fake emails between our CFO and CEO in our company.

Seeing as we use google apps for our email, it would be really nice if google could warn in their interface that this email may have the CFO's address, but it did not come from internal mail...


I believe if you publish a DMARC policy for your domain, to reject unauthenticated email from your domain, then the forged emails wouldn't ever land in the inbox.

https://support.google.com/mail/answer/2451690

https://support.google.com/a/answer/2466580


Gmail seems to have a robust policy for dealing with exactly these errors. Thanks for pointing it out.


DMARC is a message to other entities about what you want them to do in case DKIM/SPF fails. In this case that wouldn't help as the problem is with your entity. So you would just have to reject things that fail your DKIM (or more practically, add a warning to the subject line).


In this case, the parent is using Google Apps, and is receiving forged outside emails "from" their own domain, to recipients within that domain.

The way to tell Google apps "don't accept outside forged emails from my domain" is a DMARC policy, combined with the pre-reqs for that. Google apps happily puts forged emails (from your own domain) into your inbox if you don't.

>>DMARC is a message to other entities about what you want them to do in case DKIM/SPF fails

Yes, but it also drives what your hosted Gapps/Gmail instance does with incoming forged email for your own domain.

Google could provide a toggle or functionality to say what to do with failed DKIM and/or SPF more generally, for all domains...but they don't. I can tell you for sure that messages with failures for both regularly land in the inbox within my Google Apps Gmail.


Postfix has the feature you require[0]. Does google support anything along these lines?

https://serverfault.com/questions/321109/how-to-prevent-remo...


From the title I thought this was going to be about foreign SIGINT ships disguised as whaling vessels trolling off the coast.




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: