A few weeks ago I watched a fully executed demonstration of a Whaling attack that actually happened to a CEO. It was an eye opening demonstration and want to share it with all of you to increase your awareness of what goes on. First, the definition. Wikipedia states “whaling refers to spear phishing attacks directed specifically at senior executives and other high-profile targets. In these cases, the content will be crafted to target an upper manager and the person’s role in the company. The content of a whaling attack email may be an executive issue such as a subpoena or customer complaint.”

In this case the method was quite different. A top executive was reached by email about a conference he was at. The phisher posed as a vendor selling security products and asked to have coffee with the executive. Towards the end of the meeting he said he would share with the executive the details of their products and that he would just have to login to his Office 365 to access the information. In the executives mind this is a trusted source. The share was sent to the executive and he proceeded to login to his account. What he didn’t realize is that the link the phisher had sent was a link to a bogus Office 365 login server called Evilginx to use what’s called a “Man-In-The-Middle” attack. This software is used for many phishing attacks to capture credentials and session cookies.

The executive logs in, the credentials are passed on to his real Office 365 account and now his username and password have been captured and the account is compromised. Even if you have multi-factor authentication turned on, the current session is good for an hour or so and the bogus login server process also captures your session. If the phisher gets the information within the hour they can login to your account and bypass the multi-factor authentication.

I watched the entire demonstration and was floored by the simplicity of the attack. The message here is the same as I emphasize during training; be skeptical, be thoughtful before clicking on links (even those that seem trustworthy). In this scenario the skepticism would be to question the login to access the documents and ask them to be sent in a different way (even secure email if security was the issue).