Cyber Security: About Whale Phishing, the Deep Web and the Dark Net

By Professor Ingrid M. Werner, Risk Institute Faculty Member, and Martin and Andrew Murrer Professor in Finance at The Ohio State University Fisher College of Business.

October 28, 2014


Ingrid M. Werner The Risk Institute Faculty Member Martin and Andrew Murrer Professor in Finance, The Fisher College of Business

The attendees at The Risk Institute Launch and Conference last week learned two new terms from cyber-space: Whale Phishing, and the Deep Web and Dark Net. These terms were introduced by Mr. Jeremy Kroll, CEO and co-founder of K2 Intelligence who discussed effective strategies for managing cyber security risks faced by business around the world.   

Whale Phishing

Whale phishing is a new form of cyber crime in the general family of hacker strategies known as spear phishing.  Generally, phishing scams cast a wide net and hope that a few foolish individuals that click on the attachment or link in an e-mail compromising the security of their computer or financial account.  Spear phishing instead targets specific individuals or organizations, aiming to harvest financial information or trade or military secrets that can be used for financial gain.  Whale phishing, or simply whaling, takes this practice to a new level by targeting senior executives and other key leaders in an organization.  Vircom Guest Blogger Megan Horner, Marketing Coordinator at TrainACE, lays out the strategies commonly used in whale phishing attacks, and also explains what to look out for in an article here.

A spear phishing scam targets an employee with access to sensitive information or financial accounts.  It takes the form of an email that looks as if it was sent by a person in a position of authority within the company (the boss) or from outside (a regulator).  For example, a staff member in the purchasing department may get an e-mail from IT requesting that the individual login and reset his or her password.  Malware is used by the attacker to direct the individual to a fake website which is designed for the sole purpose of capturing the username and password for use to access the organization’s network.  The access can be used to manipulate accounts, transfer funds to external accounts, or simply to download sensitive information.

You guessed it, a whale phishing scam follows the same strategy but targets senior management.   The emails used are personalized and often extremely well-crafted, using corporate logos and html templates to convey a sense of authenticity.  The sender’s address looks like it comes from a known person or organization, and often alludes to a sensitive and urgent business matter.  Finally, the matter raised is one that requires the intervention of senior management.  For example, it may be a subpoena and the official-looking email instructs the CEO to click an link to download special software so they can view the subpoena.  According to Megan Horner, a scam like this targeted an estimated 20,000 recipients.  Shockingly, about 10 percent responded and thus downloaded the malicious software, so called malware.  In addition to being used to display the fake subpoena, the malware was actually a key logger that captured anything the CEO typed, including network access credentials and other sensitive information.  Using the opened door, the phishers then launched attacks against the corporations to harvest information, manipulate accounts, and transfer funds external accounts controlled by the phishers.

How does senior management avoid being caught in a whale phishing scam?  Megan Horner lists the following red flags for managers who receive emails with urgent calls to action involving confidential data.

·  The email requires a download or website visit in order to view an official document.
·  The sender’s address is similar but not identical to a familiar one.
·  The email refers to an urgent matter, such as a legal proceeding, that the executive has never heard of.
·  A website requesting personal data does not use encryption. Although a site’s appearance is no guide to its authenticity, lack of encryption is a danger sign.
·  The communication contains supposedly confidential information that in reality is publicly available

She also suggests that if you cannot quickly verify an email’s authenticity you should immediately call IT Security.  This is good advice for employees and senior managers alike!

The Deep Web and the Dark Net

We have just gotten used to the word cyber-space, and now people start talking about the “Deep Web” or the “Dark Net.”  This is not some imaginary part of the universe, but rather a part of the web that is not accessible to the general public. It is a place where cyber criminals roam and is used for trafficking in drugs, guns, pornography, and credit card information but also in state and military secrets.  According to Amy Wilson, a blogger at K2 Intelligence, an estimated 80% of all online activity takes place in the deep web.

Amy Wilson also explains that world-wide web is tiered.  The top layer is the surface web which is indexed by our popular search engines such as Google, Yahoo, and Bing and is the place where most of us get news, engage in  e-commerce, and share information about organizations and individuals.  The next level is the deep web, which is not accessible using popular search engines as users need passwords or other credentials to get through the doof.  The closed access is often used by hackers in for example the Whale Phishing attacks to set up temporary web sites where stolen information can be sold to the highest bidder.  The third level is the dark net that in addition to requiring passwords or other credentials requires the user to surf anonymously by using applications such as Tor, I2P and Freenet. 

The deep web recently gained publicity through the 2013 shutdown by the FBI of the Silk Road, a site for mail-order drugs run by “Dread Pirate Roberts” and operating on the dark net.   The FBI arrested Ross William Ulrich, who they claim was the Dread Pirate Roberts running Silk Road.  While Ulrich is awaiting trial, and his site is closed down, law enforcement is not necessarily more on top of the mail-order drug business than before.  The reason is that when the monopolist Silk Road closed down, it opened up the market for a slew of tiny drug trafficking bazaars that  cropped up on the dark net, leaving law enforcement with an even bigger problem.

While the most highly-prized targets for cyber criminals are financial institutions, Amy Wilson points out that there are plenty of examples of less obvious victims. These include Sony’s networks of Playstation users that was hacked in 2011, leaking almost 80 million accounts with personal information that was subsequently published online.  Similarly, Goodwill had a credit card breach recently where malware was installed on a third-party system used to process credit card payments, compromising almost 900,000 credit cards.  More information on the Goodwill breach can be found here.

Amy Wilson also provides advice for companies on how to protect themselves against cyber-crime.  The first line of defense is to have a comprehensive cyber security strategy in place.  The second line of defense is to have a constant flow of intelligence scanning the deep web on your behalf.  The number of reported cyber security incidents increased 48% to 42.8 million in 2014 compared to 2013 according to PwC ( ), so companies clearly need to heed her advice!