Do You Know the Five Phases of a Whaling Assault?

by David Hood - Director, Technology Marketing, Mimecast

It’s no secret that social engineering attacks, like phishing, spear-phishing and domain spoofing have grown from being a nuisance to a colossal problem. But, perhaps the most colossal problem of the moment is Business Email Compromise, otherwise called CEO fraud or whaling.

Whaling attacks can cost companies millions in financial losses. In fact, according to the U.S. Federal Bureau of Investigation, whaling attacks led to more than $2.3 billion in losses over the last three years. Cybercriminals are able to pull off these deceptive scams by posing as a CEO, or other executive, sending an email asking the unsuspecting target to initiate a wire transfer or send payroll and other sensitive data.

It’s time to protect your organization from whaling attacks. This means you must get to know the ‘5 Phases of a Whaling Assault’ so you can both educate your employees and increase your technology defenses. They are:

  1. In the Crosshairs: In the first stage of an assault, fraudsters use social media networks to gather intel on their target.
  2. The Domain Game: Next, armed with just enough detail, they register a domain similar to the actual domain for the target company.
  3. Gone Phishing: An employee receives the phishing email, but doesn’t notice the subtle warning signs that it’s fraudulent.
  4. Victim’s Assistance: The target follows the call-to-action in what appears to be an authentic email from someone familiar.
  5. On the Money: But, it’s not authentic. The attacker now moves the funds from the fraudulent bank account or has sensitive employee information like W-2 forms and social security numbers that are used in a larger scam.

Are you ready to take action against whaling? Download: “Whaling: Anatomy of an Attack” to learn more, including why whaling works, examples of recent high-profile attacks, and ways to defend against whaling fraudsters.


I am in San Francisco this week for the annual security event, RSA Conference. This year, aside from the normal discussions about attacks and defense techniques and technology, the industry has returned again to a topic close to my heart:  Skills training and recruitment.

As we see the security threat grow, anyone that runs a security team or a company creating technology like I do at Mimecast, is acutely aware of the pressure to recruit the talent you need to keep up.

One of the speakers at the conference speculated that while we are worried today about the thousands of unfilled vacancies we see in the industry this will be dwarfed quickly by a predicted global shortage by 2020 in the millions.

So what can we do?

First, we can use technology to better automate security activity. Reduce the burden of more simple security tasks that require people right now.

But I think the real requirement is to motivate and inspire young people in particular about the opportunity to make a real difference to their community (global, national and local) through a career in IT security.

The world’s economy and public services now rely on technology. In many ways you could say it is data that makes the world go round not money.

Protecting the technology, data and services of the world’s organizations is vital work. Inspiring work. An important public service even.

The damage both economic and social that cyber-attacks cause is substantial. We have all read the headlines and with each year, the stories seem more stark and worrying. Attacks on critical infrastructure like electricity grids as seen in Ukraine last year. The theft of personal data from healthcare providers. The extortion of critical funds from public and private organizations who have become the victim of whaling or ransomware attacks.  All of these seem to be daily events now.

So, as young people in particular start out in work and are looking at their options to make a difference in the world, we need to tell them how a career in IT security ranks alongside other inspiring professions of vital public service like healthcare, law enforcement and education.

Money and training will only go so far in tackling our recruitment challenge – tomorrow’s workforce want and deserve more than that. They want to make a difference and for those with the necessary skills, a career in IT security gives them just the opportunity they are looking for. We just need to tell more of them about it in those inspiring terms.


Just before Christmas, half of the residents of the Ukrainian Ivano-Frankivsk region were left without electricity for hours. 

According to the Ukrainian news media outlet TSN, the cause of the blackout was a “hacker attack” utilizing a “virus” to compromise email security across the network. Cybersecurity researchers at ESET believe it to be the first-known instance of power stations being disabled by hackers.

Attackers used the BlackEnergy malware with a modification to include an SSH backdoor to plant the destructive KillDisk component onto the targeted computers to make them unbootable.
Attackers used the BlackEnergy malware with a modification to include an SSH backdoor to plant the destructive KillDisk component onto the targeted computers to make them unbootable.

It later emerged that attackers used the BlackEnergy malware with a modification to include an SSH backdoor to plant the destructive KillDisk component onto the targeted computers to make them unbootable.

This attack has not been widely reported but has had some coverage from media sites like the International Business Times. Credit to welivesecurity who covered it more than once.

The attack used a spear phishing attack in the form of a business email that contains a weaponized attachment which uses a VBA macro to download a malicious payload to the victim’s computer. The Ukrainian security company CyS Centrum have published screenshots of the spear-phishing emails used in BlackEnergy campaigns, where the attackers spoofed the sender address to appear to be one belonging to Rada (the Ukrainian parliament). The document itself contains social engineering that tries to convince the victim to run the macro in the document. This attack is an example of a malware-less attack that relies on social engineering to trick the user into compromising themselves, instead of a spear-phishing URL, or classic email attachment malware. When the victims are tricked into opening the attachment and enabling the macros, they end up infected with the BlackEnergy Lite trojan.

Destructive malware is not new – the BlackEnergy Trojan was developed in 2007. However, cyber criminals can take a piece of destructive code and easily introduce it into BlackEnergy and mutate it. The new malicious code could then be tailored to theoretically control pipelines, water purification systems, power generators and other Internet connected critical infrastructure. In short, it could be catastrophic for utilities and organizations that own a significant, so called, Internet of Things estate of devices.

The risk to public sector services due to ‘normal’ or maliciously-induced downtime is something I highlighted in this blog last year.

I firmly believe this attack will be remembered as a seminal event in the world of cyber security – it’s a publicly recognized and successful attack on a critical public infrastructure service. We’re sure to see more of this type of attack in the future. The Achilles heel for organizations affected by these hacks seems to be email and weaponized email attachments each time. It’s time for both the private and public sector to recognize the threat of these weaponized attachments appearing in both small and large file emails and take necessary steps to protect companies and critical public services before the lights go out or the tap runs dry (again).

If you’d like more information about how you can protect your organization, you can read more on our site here.


When Is an Outage Not a Priority?

by David Hood - Director, Technology Marketing, Mimecast

When Microsoft Office 365 went down again last month, a painful truth emerged as the outage rolled on for several days – a big deal for your company is not always a big deal for Microsoft.

There’s been repeated Office 365 cloud email outages recently, from an American Office 365 email outage in July to the Azure Active Directory problems that impacted much of Europe in early December.

When Microsoft Office 365 went down again last month, a painful truth emerged as the outage rolled on for several days...
When Microsoft Office 365 went down again last month, a painful truth emerged as the outage rolled on for several days...

But what’s different about this one is how slow Microsoft  was to respond – maybe because it just affected customers that use IMAP. Microsoft promised to fix the problem by January 23 – five days after the outage.

Certainly Office 365 is not the only service to suffer like this – outages happen, but the reason why Office 365 outages grab widespread attention is because of its increasing popularity and the business critical nature of the email management services it provides.

But there is something significant about this one: what appears to be a failed service update could create an outage lasting more than week. This highlights that your problem and Microsoft’s problem aren’t always aligned. With the number of companies adopting Microsoft Office 365 increasing quickly (as many as 50,000 a month) this problem only gets worse over time. Far fewer customers will be using IMAP, so there is a perceived risk that problems will be treated as a lower order priority fix. This underscores a risk to any organization’s business continuity and data security. No business should rely on a single provider for a critical service such as email. Additional third-party cloud services are the only way to manage these risks.

For many businesses, email is their most critical IT workload. Email continuity is also highly valued by employees. Tolerance for email downtime is almost zero as it costs money, damages reputations and cripples business operations. In short, we all need it to work and to work all the time.

For years IT teams have built disaster recovery plans and systems predicated on the belief that IT fails and you always need a plan B. Nothing changes in a cloud first world. Cloud services clearly fail and if you don’t have an independent email continuity service, your email will be down until Office 365 gets it back up again. And you can’t control when that will happen. One hour. Five hours. In the case of the IMAP failure, 7 days.

So take a page out of the on-premises risk management handbook. Make Office 365 safer with the addition of an independent third-party email continuity service and by keeping an Office 365 disaster recovery solution in place.

For all its strengths, if you rely 100% on Office 365 for your email you are asking for trouble. It’s just a matter of time.

Find out more about how Mimecast can help keep your business running during an Office 365 outage here