Whaling – an advanced and more focused model of Phishing

 

Whaling describes the most focused type of phishing currently encountered by businesses or government – targeted attacks against groups of high-level executives within a single organization, or executive positions common to multiple organizations (e.g. the CTO or CFO).

 

In a whaling attack, the phisher focuses upon a very small group of senior personnel within an organization and tries to steal their credentials – preferably through the installation of malware that provides back-door functionality and keylogging.

 

By focusing upon this small group, the phisher can invest more time in the attack and finely tune his message to achieve the highest likelihood of success. Note that these messages need not be limited to email. Some scams have relied upon regular postage systems to deliver infected media – for example, a CD supposedly containing evaluation software from a known supplier to the CIO, but containing a hidden malware installer.

 

In a recent case, an attacker researched the background of a systems administrator, then sent him an email about a reduced premium health care plan for families of four or more. This appealed to the administrator, who has five children, and enticed him to open the attached form. The form had embedded malware that compromised the target’s computer and gave the attacker a foothold into his corporate network. It also allowed the attacker to impersonate the administrator and garner sensitive information about the company’s operations.

 

Whaling attacks are harder to detect than phishing expeditions. There’s no obvious signature to detect as in phishing, such as seeing hundreds of copies of a phishing email enter your server. Whaling attacks are also hard to defend against because they often play on executives’ feelings and sense of self-importance.

 

Because the targets have such high value, whalers can afford to go to very elaborate lengths to make their e-mails appear legitimate. The basis of a successful whaling attack is information about the intended victims–the more specific the better. At the very least, most whaling attacks involve the name and job of each potential victim, and the whalers will try to have more information than that.

 

A whaling e-mail may even include a working telephone number–something conventional phishing attacks never do. Typically, the number is a VOIP connection, which is hard to trace and easy to take down. Often a recording at the other end of the line will ask the victim for more information.

 

And these types of attacks are on the rise.

 

This is all the more easier nowadays as a lot of private information – where they work, with whom they interact socially and professionally, what conferences they attend, when and where they vacation – is now public information thanks to the multitude of social networking and professional networking sites.