Phishing

Whaling Case Study: Mattel's $3 Million Phishing Adventure

Ki Nang Yip
May 22, 2016 by
Ki Nang Yip

Introduction

Fraud is a tactful criminal practice that never ages. It only evolves with time and technology. Fraudsters have followed advancements in technology closely and moved their operations online. Various phishing schemes, ranging from Nigerian scams and spear phishing to whaling aimed at financial or business gain, are getting increasingly sophisticated. Moreover, cyber criminals can rob and run faster and smarter in this new crime arena thanks to the complexity of international investigation. Problems and criminalities as a result of technology advancement grow much quicker than legislation and law enforcement development around the globe. Most of the time, the authorities can hardly catch up with such fast criminal adaptation. Thus, cybercriminals are emboldened and encouraged to further their schemes targeting financial gain.

Two year's worth of NIST-aligned training

Two year's worth of NIST-aligned training

Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.

McAfee suggested that the global economy lost around $375 to $575 billion as a result of the fierce and rapid development of various cyber-crimes in an investigation report published in 2014. The former NSA director, Keith Alexander, once stated that cybercrime had constituted the greatest transfer of wealth in human history in 2012. The majority of cybercriminal activities can be identified with attack origins in China and Russia. U.S. corporations suffer a great deal of financial loss following phishing, identity theft and network breaches. Small and medium sized enterprises (SME) are often more vulnerable vis-à-vis online fraud, phishing and network intrusions because of lower budgets and investments in cybersecurity.

Nonetheless, big corporations are not necessarily more resistant and sometimes they risk a much higher loss. Mattel, the biggest toy manufacturer in the world, almost lost three million dollars to a cybercriminal group based in China in mid-2015. Mattel’s dance with the Chinese cyber gang is a great example of how big corporations can also fall prey to a very specific phishing scheme—whaling. Whaling uniquely targets high level management and decision makers. In the media coverage of Mattel’s case, it is estimated that fake C-level executive emails have acquired more than $1.8 billion from U.S. corporations globally. C-level executives should be well informed about the risks coming from disguised phishing emails.

The Chinese cyber gang strategy

Whaling is the main technique utilized in Mattel’s three-million-dollar misfortune. Phishers adopting this strategy painstakingly study the corporate institution’s structure to target a few key people, most of the time, the C-level executives. It is a hit-the-jackpot strategy. They can hack the C-level executives’ work email accounts to investigate classified information or steal these high level mangers’ identities to gain a financial advantage or obtain credit and other benefits. Either method will bring better results than targeting personnel with more limited access to sensitive information about the corporation.

What happened to Mattel in mid-2015 was a vivid whaling case. The cybercriminals behind this attack have been hiding in Mattel’s computer networks to diligently study the corporation’s internal procedures, protocols, corporate hierarchy, supplier information, employee personalities, etc., prior to launching their final whaling attack. It is obvious that the concerned Chinese cybercriminal group had been very patient and they have done a great deal of preparation for this scheme. It was revealed that the Chinese cybercriminals could have launched multiple social engineering and spear phishing attacks to gain initial access to Mattel’s corporate computer network. They were able to exploit the corporate information stored in the compromised computers for a significant period of time. They learned the business’s activities, turnover fluctuations in various regions and, most importantly, the top management’s business decisions. Having succeeded in residing at Mattel’s networks, the cybercriminals were able to constantly monitor the corporation’s development as if they worked in Mattel. They waited for the perfect moment, which came when Mattel decided to appoint a new CEO, Christopher Sinclair, to replace Bryan Stockton in January 2015. The arrival of the new CEO implied changes within higher management which would cause new power struggles in the corporate hierarchy. In other words, the cybercriminals even took into consideration the office politics and human relationships of Mattel to plan their whaling email.

The Chinese cybercriminals saw their chance coming and were ready to deal a death blow to get the jackpot. They cautiously selected a high level executive as the recipient of this delicate whaling email. They drafted the email using the identity of Christopher Sinclair and asked the recipient for a joint approval of payment to a Chinese supplier of Mattel. The payment of three million dollars was to be transferred to a bank in Wenzhou, China. According to Mattel’s internal money transfer protocol, such a payment would require authorization from two high level managers. The recipient qualified, and as the request had come from the new CEO, which signified the other authorization, she did not hesitate and pressed the transfer button . Several hours after the transaction had been made, the concerned manager reported to Christopher Sinclair about the job. He had never sent such an email! The corporation went into panic mode and immediately solicited assistance from the bank and the FBI. Unfortunately, the money was gone, it had already been transferred to China.

Mattel’s China ambition

One may question how easy it seemed to phish a high level manager and thus gain a large reward. It is important not to forget that human factor is above all the most complicated risk to manage. The schemer in this whaling operation also studied Mattel’s overall global business development strategy. Mattel had been very ambitious in the Chinese market for about a decade. The group considers China as the new profit engine. Mattel attempted to position themselves as the market leader in childhood development products. Despite several high profile failures in their market expansion in China, notably the short lived Barbie tower in Shanghai in 2007 to 2009, Mattel has never abandoned the country. Their persistence and efforts finally paid off in 2015 when the group reported that its sales in China increased 43% over the previous year. In the context of this corporate ambition and the change in upper management, the victim executive’s hasty decision becomes understandable. The criminal mastermind behind this operation has collected a lot of information and data prior to sending the key whaling mail.

Despite such an unfortunate human mistake, Mattel got lucky. The money was sent on the 30th of April, which was the eve of the Labor Day golden week holiday in China. Mattel contacted China’s police in time to freeze the concerned bank account prior to the start of bank service after the holiday. Mattel sent the money to China, but the cybercriminals could not claim the jackpot right away. Finally, the three million dollars took a trip to China and went back to Mattel’s U.S. headquarters safely. Mattel was grateful for the Chinese police’s efficiency and they issued an official letter to thank the local authorities.

Mattel is only one of the many corporations that have fallen prey to deliberately well planned phishing schemes. This story vividly demonstrates the complication of investigating and pursuing international cybercrime. Had Mattel not been lucky in the timing of the transaction, the Chinese cybercriminals would have emptied the bank account before the authorities were notified. The culprit behind this operation has still not been arrested.

InfoSec PhishSim—the risk mitigation solution against whaling

In Mattel’s adventure, the cybercriminal group has shown exceptional intelligence, patience and vision in attacking the targeted corporation. While it may seem that those cyberattacks attracting high profile media coverage may not be affecting all types of businesses, institutions tend to underestimate the consequences of a cyberattack that involve their own careless employees. Unfortunately, internal human factor is always the most easily neglected aspect in cyber-defense. Security awareness training should not be limited to general employee training. It should be a priority for everyone in the corporation. Moreover, C-level executives should be aware of how vulnerable they and their identities are in a delicately planned whaling scheme. Your corporation should also review the employees’ sensitivity when it comes to phishing as a general threat against your business.

InfoSec Institute has been delivering innovative cybersecurity solutions in the U.S. for over a decade. Thousands of clients and professionals from the public and private sector have gained insights from InfoSec Institute to enrich their knowledge in cybersecurity. Moreover, we are a recognized certification provider in the country. Please visit our certificates and security awareness training programs here for more information.

InfoSec Institute’s new interactive phishing training platform, Infosec IQ, is an awareness improvement solution built to suit the needs of corporations. The key to keeping in pace with fast evolving phishing tactics is to involve both the trainers and trainees to communicate, share and test new phishing content and strategies. Infosec IQ allows its users to create and build phishing training campaigns for all employees and even the corporation’s business partners. Below is a Mattel whaling template created with Infosec IQ's ready-to-go interface. Innovative phishing ideas and identity disguises are all usable options in Infosec IQ's platform. You are encouraged to try it by setting up your free account here.

1

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

Adopt Mattel’s whaling story as your blueprint to phishing your employees. You may be surprised by how vulnerable your corporation really is and what you can do through Infosec IQto fix the human factor risk in cybersecurity. You can develop more template ideas with different phishing techniques on Infosec IQ. Our solution provides over 100 templates to give you inspiration. Register now to take advantage of a 30-day free trial to all features.

Ki Nang Yip
Ki Nang Yip

Ki Nang is a researcher in cybersecurity, industrial espionage and political science. He conducts his PhD research in Paris. He studies state-funded cyber-espionage, political impacts in cyberspace for corporate development, and new forms of cybercrime. In his spare time, he also follows cybersecurity and political issues in China, U.S. and Russia.