Cyberattack avoidance lessons from the White House
It seems no one is immune when it comes to being tricked by cybercriminals, with several top White House officials revealing they were hoodwinked recently by fake emails. CNN reports a hacker impersonated President Donald Trump’s son-in-law, Jared Kushner, and former Chief of Staff Reince Priebus in a late July cyberattack. Homeland Security Adviser Tom Bossert accepted a soiree invitation from a sender he believed was Kushner and provided his personal email address. Then-White House Communications Director Anthony Scaramucci was also harpooned into a heated email exchange with the cybercriminal, whom he believed was Priebus.
The White House email incident is likely best defined as a spear-phishing or whaling attack, in which malicious hackers attempt to impersonate high-profile executives who have access to sensitive data. Krebs on Security reports the FBI places the total financial loss associated with impersonation cyberattacks at $2.3 billion over a three-year period.
According to Twitter content posted by the attacker — who self-describes as a “lazy anarchist” from the UK — the goal wasn’t to steal national secrets. The prank was for “fun,” although the hacker also wrote the White House needs to tighten up its IT policy.
Executives at highest risk of whaling attacks
The White House Network is highly renowned for its security stresses, revealing that any organization can be susceptible to this type of attack. Unlike this recent attack targeting US government officials, many corporate-targeted whaling attacks are focused on information theft. Executives may fall prey to whalers who are more intent on stealing data than having a good time.
With this incident happening within a network that is highly recognized for its security stresses, any organization can be susceptible to this type of attack. Naked Security reports countless enterprise brands with strong security have been harpooned by cybercriminals in recent months. Executives in the C-suite are most likely to be targeted by impersonation threats given their high-level access to data and funds. However, how did the hacker slip through the White House’s network security, and more importantly, how do executives stand prepared?
How top White House officials were hoodwinked
Though the precise details of the White House attack have not been released, there’s no evidence that the emails were actually sent from Kushner or Priebus’ personal email accounts. Cybersecurity professor Alan Woodward told the BBC it’s likely the hacker changed a single character in the sending domain. Even relatively savvy recipients can easily fail to notice a domain such as “Whitehouse.gov” has been changed to “Whithouse.gov” or something similar.
Successful whalers may spend significant periods of time performing research on organizations before launching a cyberattack, gathering intelligence on their targets through open source intelligence freely available through company websites, LinkedIn and personal social media profiles. Being able to emulate the CFO’s writing style can make social engineering-driven attacks more believable — sometimes, devastatingly believable. Krebs on Security reported one recent cybersecurity heist that targeted an executive at a Silicon Valley manufacturer resulted in fiscal losses of $46.7 million, only $8.1 million of which was recoverable.
How CEOs can avoid getting harpooned
In more traditional phishing attacks that entice executives into clicking malicious links, adequate mobile device management tools can ensure successful threats are quickly sequestered from sensitive data and the devices can be decommissioned before they infiltrate the entire company network. Two-factor authentication for emails is an important technological baseline for filtering out some malicious emails.
From a behavioral standpoint, it’s wise to always check the sending domain carefully, with an eye for the slight typos that can make a threat appear legitimate. In general, making a quick phone call to your colleagues to verify a request for funds or information is legitimate is of critical importance. Finally, executives should work closely with marketing to ensure hacker bait isn’t publicly available through web content, such as detailed information about organizational structure or roles published on the company website.
What’s the right solution to the whaling climate?
According to Dark Reading, top-down information security practices dictate making secure behaviors a personal responsibility for every individual. Every stakeholder should have the knowledge and tools necessary to recognize threats in real time, in addition to technical barriers against attack. Though techniques such as two-factor authentication for email are vital, the White House incident reveals any single-faceted take on security simply isn’t enough. Human awareness is key.
As the individuals within the enterprise who are at greatest risk of facing a highly targeted whaling attack, C-suite executives are wise to understand their email security risks. Exercising caution and verifying sender information before releasing funds or data could be key to avoiding the costly impact of today’s most plausible phishing emails.