By now we all familiar with Phishing, which is the attempt to extract valuable information from an unsuspecting user via some form of social engineering which is usually done via e-mail but can also be done via telephone (called Vishing.)
In the case of an individual, the target is usually account passwords for bank accounts or credit cards which can be used to drain the victims bank account or run up purchases on their credit card.
In the case of a business or government entity, the target is credentials that will allow the attacker to gain access to the internal network for theft of financial information, trade secrets, or military secrets.
The stolen information can then be used by the criminal directly or sold on the thriving black market for such information.
Initially, the criminal’s technique was “Spray and Pray.” That is, send out a large number of Phishing attempts and hope for a profitable number of “bites” (usually small.)
However, as the public became better educated to the game, the criminals, as always, adjusted. They began to use a technique called “Spear Phishing”. As the name implies, the Phishing attacks were made more believable because they were “customized” for the victim. For example, the Phisher would use a program that would scan a company’s web site for names and e-mail addresses. Then the program would construct a Phishing e-mail that would seem to come to the victim from someone in the company. Further, the e-mail would seem to be business related with a message such as “The IT department is resetting all passwords. Please log into the link below to get your new password.” The link of course led to the Phisher’s realistic looking web site which allowed them to collect the User Name and Password.
But now the game has ratcheted up again. A new form of “Spear Phishing” has developed designed to target senior executives or very wealthy individuals. It is called naturally enough “Whaling” because it goes after the biggest fish.
Whaling is often successful because it depends on three primary attributes:
- Top executives are often exempt from some, or all, of the company’s security policies and / or technologies
- Top executives are often exempted from the security training given to other employees
- Their User IDs and Passwords grant the greatest access
Also, you may ask why the in place security tools don’t help to protect the victim. The answer lies in the nature of a “Whaling “ attack which protect it from detection. First, because it is aimed at a specific person, or small group of people, the volume is too small to attract the attention security software vendors. Second, since the attack is not selling anything and was crafted to look very much like legitimate business mail, it passes SPAM filters easily.
You may also be wondering how the Phishers get the necessary personal information to identify their targets and gather the necessary information about their targets. According to a recent article in CSO Update by Rick Cook, they use two primary sources – compromised company databases and networking sites such as LinkedIn and MySpace. [Authors confession: I am a LinkedIn member.] Also, they use employee and company Blogs, and sometimes even the victim’s own blog.
In addition the Phishers will often add little tricks that try to differentiate the e-mail from common SPAM the victim is used to seeing. Specifically, Mr. Cook points out that the Email often contains a working phone number to call which has a recording asking the victim to divulge personal information. These numbers are usually VOIP phones which are easy to set up and nearly impossible to trace after the fact.
Finally, I should point out that in one regard these “Whaling” e-mails are often no different that common SPAM. That is, they attempt to download malware on the victims machine that allows the Phisher to steal the information desired without any action by the victim other than clicking on an embedded link.