CFO whaling at an industrial company · fake CEO mail · 380K TL transfer prevented
On Friday at 16:42 the CFO of an industrial company received a look-alike domain mail "from the CEO": "Urgent supplier payment, 380K TL to this IBAN, reporting on Monday." On DSET's advice an out-of-band verification was performed and the attack was prevented. After the DKIM/SPF/DMARC setup, 18 months clean and the following 4 fake mails were blocked automatically.
01 The Challenge
Friday evening, before the weekend, the CEO on a business trip to Germany with the phone off. The mail to the CFO looked urgent: a supplier payment, reporting on Monday, a 30-minute bank approval window. The fake domain (dsetcompany.com) had been registered a week earlier, and because DKIM/SPF was weak the mail was easily accepted. The attacker had tracked the CEO's trip with APT-style OSINT.
02 DSET's Approach
T+0 · Preliminary analysis
DSET was called in and a mail header analysis was done: SPF=fail, DKIM=none, IP a Latvian VPN. The lookalike domain WHOIS registered a week earlier.
T+15min · Out-of-band verification
A WhatsApp message was sent to the CEO's known second (personal) number. The CEO said "I didn't write anything like that." The attack was prevented.
T+24h · DSET forensic investigation
TTPs: CEO trip tracking via APT-style OSINT (LinkedIn + airline CEO account exposure). The attacker profile was not APT41 but a "financially focused APT" group.