Whaling: fighting back!

Whaling: fighting back!

DearBytesBlogWhaling: fighting back!

zondag 9 september 2018

A while ago DearBytes received a whaling e-mail. Whaling is a specific type of phishing. Criminals impersonate high-profile employees, for example the CEO or CFO. The criminals try to obtain sensitive information or earn money through the phishing e-mails. The following initial e-mail was sent to DearBytes:

The e-mail seems to be originating from Erik Remmelzwaal. Erik is the Managing director of DearBytes. The e-mail was destinated to Ard Laan, which has a Manager finance position within our organization. This information probably was obtained by the attackers through open sources, such as LinkedIn. There are some indications in above e-mail which shows that this is not a legitimate e-mail, such as:

  • The e-mail is coming from ceoexecs@naver.com.
  • The way we communicate within DearBytes is different.
  • The footer is not an original DearBytes footer.
  • There is a linked image in the footer.

We decided to reply on the e-mail to obtain more information about the attackers. A common technique to obtain an IP-address through e-mail is to inject a so-called ‘pixel’ in to the e-mail. This is an image file which is hosted on a remote website which is owned by our employees. Whenever the e-mail is opened and the image file is loaded from our website, we would obtain information such as the IP-address and User-agent. The pixel technique does not always work out, this depends on the e-mail client that is used. A lot of e-mail clients block by default remote images in an e-mail to prevent leaking this kind of information.


Weten wat je zelf tegen ransomware kan doen?

Lees alles over het voorkomen van ransomware, hoe ransomware werkt en welke preventieve maatregelen jij kan nemen. Download de whitepaper.

Download Whitepaper


We have sent the following reply to the criminals:


We ask them in the e-mail to fill in the form international payments, suggesting this the usual way we perform payments. Also, the pixel was injected, which is marked red in above screenshot. After sending the e-mail, the injected pixel was loaded within 6 minutes:


We can conclude that e-mail was read in a short time. This reading action was performed by a user originating from the IP-address A user agent was retrieved indicating that the criminal is working from a Windows 10 system and a Chrome browser. After looking up the IP-address, it became clear that the IP-address is located in Nigeria.


Nigeria Swifting seems to be a mobile connection provider in Nigeria, which might indicate they are working from a 2G/3G/4G connection. Due to the injected pixel we were able to track some more stuff. The pixel was also loaded when starting to edit an e-mail. This for example happens when they reply to an e-mail and/or forward it. The following screenshot shows that they started to reply on the e-mail 8 minutes later after reading it:


One minute later we received the reply:


Above narrow point something pretty sneaky. After analyzing the e-mail it became clear that they replace the “ceoexecs@naver.com” e-mail address in all previous e-mails. To make the e-mail thread as legitimate as possible. They asked us whether they can send the payments details so we can fulfill the payment. We wanted to implement another and new trick in order to obtain some information, so we prepared our own phishing site. The site could be used to perform a payment, also we added a password field to check what they fill in. We developed the following website:

We created the following e-mail to reply to the criminals, to lure them to our site:

We asked them to fill in our form on the website. Suggesting that this website is the usual way of performing a payment within our organization. Unfortunately, they never clicked our link. They replied on this e-mail with the payment details directly, so we tried to lure them another time to the phishing website. After sending the e-mail, they stopped replying in this e-mail conversation. Probably they are aware that clicking links can be dangerous.

Nevertheless, we had some funny insights into a whaling attack. They are attacking a IT-security company which indicates that they are not researching the kind of company’s they attack. They use open source, for example LinkedIn to search the high-profile employees, after that they ‘just try’ to send an e-mail in the hope for a reply. They are all day on top of their mailbox to scam people, they opened our e-mail quickly after sending them. The people behind this attack were most likely originated from Nigeria, using a Windows 10 PC with Chrome and sending the money to a UK bank. And.. they do not click links L.

A lot of companies are victim of whaling. In some cases, a lot of money is stolen from the victims. Be aware of e-mails which do not look legitimate. Always scan the address the e-mail is coming from, the language, the footer and the contents of the e-mail. Whenever there is an indication the e-mail might be incorrect, ignore the e-mail or verify things by phone.

Wat kun je nog meer tegen Ransomware doen?

Lees alles over het voorkomen van ransomware, hoe ransomware werkt en welke preventieve maatregelen jij kan nemen. Download de whitepaper.

Download Whitepaper