Catching Captain Ahab – Fake Companies and the Quest for Sector Specific Threat Intelligence

Introduction

“Call me Ishmael.”

Whaling has been appearing in the news more often as of late, and this isn’t a reference to Herman Melville’s classic novel, Moby Dick.

Whaling is a type of phishing attack that targets those who are in positions of power within their company. This week, Zepko have turned the tables and have created an advanced honey pot in an attempt to catch Captain Ahab, aka the Whalers.

Targets

Whaling can affect companies of all sizes in any industry. Typically targets are the CEOs, Chief Execs, Directors and decision makers.

However, the attackers will look for easy targets in which they get the most gain, from the least amount of effort. This is similar to that of a predator and the optimal foraging theory. This theory describes how an animal will instinctively calculate the difference between food provided from its prey and the time and energy used in the pursuit of this prey.

Attacks

First an attacker would usually scan for known vulnerabilities on a specific targets infrastructure or they could scan a range of targets. The attacker would next look at the results of these scans and analyse them to see if the vulnerabilities are easy to execute and worth their ‘precious’ time.

An attacker will then compile a list of employees email addresses to target specific staff working for a company and from that list the attacker will send out emails to senior executives masquerading as a legitimate email. The emails will most likely have a link that downloads malware or make a request such as a money transfer or a request of more information on the company in order to help them carry out an attack.

Threat Intelligence Gathering

Zepko have created an advanced honeypot in an attempt to catch whalers (Captain Ahab).

As a part of our ongoing Threat Intelligence research we have set up a fake finance company with the goal of luring in hackers to attempt to exploit web servers, proxies, DNS servers and mail servers along with sending us malicious emails.

The fabricated company is located in five of the seven continents. We have stated the financial power of the company on the main site along with the senior staff of the company and their contact details. In turn, making it an easy target for hackers with the temptation of a large amount of financial gain whilst without making it too obvious that it is, in fact, a honeypot.

Zepko set up social media accounts such as LinkedIn and Twitter with a TwitterBot to emulate legitimate employees to ensure hackers that the company is real. Also, articles were written to flesh out the sites content and make company sound more believable this includes blog posts and careers pages.

The main site was intentionally configured poorly, it has an open Proxy server, open DNS server, vulnerable plugins and an email server with open relay enabled. To draw attackers to the company, fake leaked credentials including email address, passwords and vulnerability scan logs were pasted in popular forum sites and paste sites.

Monitoring

Zepko will monitor and analyse the connection logs for the proxy and DNS server to gather Intel. All emails that are addressed to an email address ending in the company’s domain are redirected to one email address making it easier for analysts to monitor phishing attempts and to pick up any malicious files send via email such as macro enabled word documents disguised as invoices or CVs.

Soon we will report on our findings, but until then…

Save the whales!