Cyber Security: About Whale Phishing, the Deep Web and the Dark Net

Ingrid-Werner

October 28, 2014

The attendees at The Risk Institute Launch and Conference last week learned two new terms from cyber-space: “Whale Phishing,” the “Deep Web,” and the “Dark Net.”  These terms were introduced by Mr. Jeremy Kroll, CEO and co-founder of K2 Intelligence who discussed effective strategies for managing cyber security risks faced by business around the world.   

Whale Phishing

Whale phishing is a new form of cyber crime in the general family of hacker strategies known as spear phishing.  Generally, phishing scams cast a wide net and hope that a few foolish individuals that click on the attachment or link in an e-mail compromising the security of their computer or financial account.  Spear phishing instead targets specific individuals or organizations, aiming to harvest financial information or trade or military secrets that can be used for financial gain.  Whale phishing, or simply whaling, takes this practice to a new level by targeting senior executives and other key leaders in an organization.  Vircom Guest Blogger Megan Horner, Marketing Coordinator at TrainACE, lays out the strategies commonly used in whale phishing attacks, and also explains what to look out for in an article here.

A spear phishing scam targets an employee with access to sensitive information or financial accounts.  It takes the form of an email that looks as if it was sent by a person in a position of authority within the company (the boss) or from outside (a regulator).  For example, a staff member in the purchasing department may get an e-mail from IT requesting that the individual login and reset his or her password.  Malware is used by the attacker to direct the individual to a fake website which is designed for the sole purpose of capturing the username and password for use to access the organization’s network.  The access can be used to manipulate accounts, transfer funds to external accounts, or simply to download sensitive information.

You guessed it, a whale phishing scam follows the same strategy but targets senior management.   The emails used are personalized and often extremely well-crafted, using corporate logos and html templates to convey a sense of authenticity.  The sender’s address looks like it comes from a known person or organization, and often alludes to a sensitive and urgent business matter.  Finally, the matter raised is one that requires the intervention of senior management.  For example, it may be a subpoena and the official-looking email instructs the CEO to click an link to download special software so they can view the subpoena.  According to Megan Horner, a scam like this targeted an estimated 20,000 recipients.  Shockingly, about 10 percent responded and thus downloaded the malicious software, so called malware.  In addition to being used to display the fake subpoena, the malware was actually a key logger that captured anything the CEO typed, including network access credentials and other sensitive information.  Using the opened door, the phishers then launched attacks against the corporations to harvest information, manipulate accounts, and transfer funds external accounts controlled by the phishers.

How does senior management avoid being caught in a whale phishing scam?  Megan Horner lists the following red flags for managers who receive emails with urgent calls to action involving confidential data.

·  The email requires a download or website visit in order to view an official document.
·  The sender’s address is similar but not identical to a familiar one.
·  The email refers to an urgent matter, such as a legal proceeding, that the executive has never heard of.
·  A website requesting personal data does not use encryption. Although a site’s appearance is no guide to its authenticity, lack of encryption is a danger sign.
·  The communication contains supposedly confidential information that in reality is publicly available

She also suggests that if you cannot quickly verify an email’s authenticity you should immediately call IT Security.  This is good advice for employees and senior managers alike!

The Deep Web and the Dark Net

We have just gotten used to the word cyber-space, and now people start talking about the “Deep Web” or the “Dark Net.”  This is not some imaginary part of the universe, but rather a part of the web that is not accessible to the general public. It is a place where cyber criminals roam and is used for trafficking in drugs, guns, pornography, and credit card information but also in state and military secrets.  According to Amy Wilson, a blogger at K2 Intelligence, an estimated 80% of all online activity takes place in the deep web.

Amy Wilson also explains that world-wide web is tiered.  The top layer is the surface web which is indexed by our popular search engines such as Google, Yahoo, and Bing and is the place where most of us get news, engage in  e-commerce, and share information about organizations and individuals.  The next level is the deep web, which is not accessible using popular search engines as users need passwords or other credentials to get through the doof.  The closed access is often used by hackers in for example the Whale Phishing attacks to set up temporary web sites where stolen information can be sold to the highest bidder.  The third level is the dark net that in addition to requiring passwords or other credentials requires the user to surf anonymously by using applications such as Tor, I2P and Freenet. 

The deep web recently gained publicity through the 2013 shutdown by the FBI of the Silk Road, a site for mail-order drugs run by “Dread Pirate Roberts” and operating on the dark net.   The FBI arrested Ross William Ulrich, who they claim was the Dread Pirate Roberts running Silk Road.  While Ulrich is awaiting trial, and his site is closed down, law enforcement is not necessarily more on top of the mail-order drug business than before.  The reason is that when the monopolist Silk Road closed down, it opened up the market for a slew of tiny drug trafficking bazaars that  cropped up on the dark net, leaving law enforcement with an even bigger problem.

While the most highly-prized targets for cyber criminals are financial institutions, Amy Wilson points out that there are plenty of examples of less obvious victims. These include Sony’s networks of Playstation users that was hacked in 2011, leaking almost 80 million accounts with personal information that was subsequently published online.  Similarly, Goodwill had a credit card breach recently where malware was installed on a third-party system used to process credit card payments, compromising almost 900,000 credit cards.  More information on the Goodwill breach can be found here.

Amy Wilson also provides advice for companies on how to protect themselves against cyber-crime.  The first line of defense is to have a comprehensive cyber security strategy in place.  The second line of defense is to have a constant flow of intelligence scanning the deep web on your behalf.  The number of reported cyber security incidents increased 48% to 42.8 million in 2014 compared to 2013 according to PwC (http://www.pwc.com/gx/en/consulting-services/information-security-survey/assets/the-global-state-of-information-security-survey-2015.pdf ), so companies clearly need to heed her advice!

Upcoming events at the Risk Institute

It is that time of year again when campus is filled with the buzz and energy of returning students, new classes, Saturday tailgates and community events.   And as such, we wanted to make sure you are aware of the upcoming events associated with the Risk Institute so you can plan your fall schedule accordingly.

Executive Education Series:
On September 10, 2014, Dr. Keely Croxton, Associate Professor of Logistics at The Ohio State University Fisher College of Business will be leading a session on supply chain resilience.  This three and a half hour session will focus on the identification, measurement and management of supply chain risks and be a great opportunity for firms at all stages of development in the risk management spectrum.  This exec ed session costs $495 and is geared toward senior executives and business unit leaders charged with driving growth and creating value while managing risk.  More information on the session is available here.

Morning Briefing Series:
On September 30, 2014, Dr. Zahn Bozanic, Assistant Professor of Accounting at The Ohio State University Fisher College of Business, will discuss how “big data” is being used to help facilitate regulatory compliance of firms’ external financial reports. This research has been featured in Forbes and CFO.com.  The morning briefings are free, but seating is limited.  Reserve your seat and find out more information here.

The Risk Institute Launch Event and Conference:
On October 22-23, the Risk Institute will be hosting it’s launch event and conference where several leading academic and practitioners will be taking the ‘conversation about risk’ to the next level and examining a variety of aspects that relate to all aspects of risk management.  This cross functional event will cover aspects including financial, reputational, supply chain, cyber security, regulatory and more.  More information on this invitation only event can be found here.

Preparing for supply chain disruption and “100-year events”

john-gray 100x150By Professor John Gray

Tsunamis. Nuclear disasters. Factory fires. These are the kinds of cataclysmic incidents companies often label “100-year events,” putting even the best risk management infrastructures to the test and leaving an indelible stamp on the businesses that survive.

For companies with global reach, however, these so-called 100-year events can occur with striking regularity. For a firm operating in 30 independent regions, the likelihood that they experience at least one “100-year event” in one of those regions in a given year is over 25 percent. Considering each year independent of the other, this company in a half-decade will have a nearly 80 percent likelihood of experiencing at least one 100-year event, making the unpredictable seem, on the contrary, quite predictable.

The incidents themselves don’t indicate a company has taken undue risks or “failed.” In the end, what separates firms with strong risk programs and those with weaker ones is the degree to which they’re aware of risks they face (and have reduced these risks where appropriate), how they detect those risks, and how they respond when an event occurs.

Greif Protest 2014

One Columbus, Ohio-area company, Delaware-based industrial packager Greif experienced its own collision with supply chain risk when one of its plants in Turkey was taken over in the spring. News reports described the takeover as “led by a small radical group of individuals,” reportedly communist workers. The takeover and subsequent plant closing will cost the company $27 million this year, no small change for a firm whose 2013 net income was under $150 million.

From an outsider’s perspective, such an incident can raise many questions: When the company chose Turkey, were these risks considered in comparison with other locations? If they were, how was the risk incorporated into the decision? If not, would they have changed course if this possibility hit the radar? Once the plant was operational, what disruption mitigation plans were implemented? And finally, were there any opportunities for prevention?

It is important to note that Greif already has a well-structured and comprehensive risk management system in place, driven by risk management teams for each strategic business unit. They’re the source of regular monitoring of economic, political and regulatory changes that might impact operations along with education, auditing and compliance management for the company’s global footprint. Even with such a system in place, this incident still occurred, illustrating a brutal truth about supply chain risk management: You can do everything right and will still experience adverse events.

Doing everything right starts with a program that includes four key elements: Assessment, planning, detection, and response.

  • Assessment is crucial as the supply chain is being designed, but it is impossible to assign expected costs to all potential supply chain risks. Companies often use a “red-yellow-green” or slightly more sophisticated coding system to supplement the analysis of quantifiable costs. Assessment also includes evaluations of “time to recover” ( TTR) and “revenue at risk” (RAR) (which goes by other names, including revenue impact and risk exposure) for a given site, which are critical for planning.
  • A key aspect of Planning is Business Continuity Plans (BCPs), which outline steps to be taken in the event of foreseeable disruptions. This is also where firms invest in risk mitigation (for example, owning extra inventory or developing a second source for a component). TTR and RAR provide the justification for such investments.
  • Detection is learning about risks as soon as possible, ideally while they are still developing.
  • Finally, Response is the “real-time” work after an incident has occurred.  Firms with sophisticated supply chain risk systems have “playbooks” to improve responsiveness to many possible incidents.

In the aftermath, companies faced with challenges similar to Greif’s typically revisit their location-related risk management programs and often face another classic problem of risk management: Return on investment. Because quantifying all risks, even probabilistically, is impossible, quantifying ROI is not feasible. Because of this, firms may overinvest in risk management plans after an incident hits close to home, and then scale back programs, ironically, when they have been effective at reducing risk. The general belief in the context of investment in supply chain risk managements currently seems to be “more is better.” As most firms historically have neglected this area, that’s probably a good thing. At some point, though, especially after periods of quiet, CFOs may start asking what return they are getting on risk mitigation plans with such as multiple/backup sources, extra inventory, and a staff working on plans they hope will never be used. Supply chain risk managers will likely need to rely on more and better data on the likelihood and costs of supply chain risks, not just for internal planning but for justification of risk-reducing investments. With the “big data” trend, consultants, entrepreneurs, and even insurance companies are stepping up to try to fill this need. It is far from clear whether supply chain risk will ever be quantifiable enough to develop accurate ROIs for risk-reductions , but it is likely firms will continue to get incrementally better. That’s all anyone, even the CFOs, can ask for.


Professor John Gray is an associate professor of operations at the Fisher College of Business and an affiliated faculty member of The Risk Institute. Prior to receiving his PhD from the Kenan-Flagler Business School at the University of North Carolina – Chapel Hill, he worked for eight years in operations management at Procter & Gamble while receiving an MBA from Wake Forest University. Prof. Gray’s research has received several awards and recognitions, including the 2012 Emerald Citations of Excellence award, the OM Division’s Chan Hahn best paper award at the Academy of Management conference in 2012, and the 2011 Pace Setters award for research at Fisher. He also serves as a senior editor for Production and Operations Management and an associate editor for the Journal of Operations Management. Among his service to professional societies, he is serving a 5-year leadership role for the Academy of Management’s OM Division from 2014-2018.

Interested in supply chain logistics and risk management? Join us for our executive education session on  September 10, 2014  to learn more.  Contact The Risk Institute for details. 

Welcome to our blog!

Managing today’s risk requires a new kind of conversation.  That conversation will start here, and we’re glad to have you with us!

The conversations taking place here promise to be holistic, interdisciplinary, and empowering.  Here at the Risk Institute, we take a comprehensive view of risk management, valuing insight and experience from across academic study and business experience. As we look at real issues faced by real companies, you’ll see posts from a wide range of perspectives, including: strategy, disruption, globalization, operational, market, customer, competitive, reputation, security, legal, regulatory, operations, talent and HR, and finance.  Sound interesting?

Whether you are a risk professional, an academic, or a student of risk, bookmark this site to stay on top of all of the latest issues, research, and thoughts about Enterprise Risk Management.  We’re looking forward to creating dialog with you.