Spear phishers are baiting their hooks for "big phish" with access to highly valuable corporate information, a strategy known as whaling. It works like this: Hackers troll the internet, social media, or even corporate websites to gather information on a high-profile target and then craft an enticing email to trick the recipient into believing it comes from a trusted source. Once the target clicks on the email, malicious software is often installed that enables the hacker to gain access to the inner workings of the company or collect information from the target for another attack on an even bigger phish.
Whaling and phishing aren't new, but the threat isn't going way. That's why it's up to companies to take the lead in reducing their own risk.
Phishing, Spear Phishing and Reeling in a Whale
Phishing attacks go way back, and if you use email, you've probably been exposed to a few yourself. In phishing attacks, hackers use email or malicious websites to solicit personal information by posing as trustworthy organizations, such as government organizations or financial institutions. This allows the attackers to request sensitive information. When the user responds with the requested information, attackers can use it to gain access to a user's bank account or steal his or her identity, among other crimes.
Phishing emails, unlike spear phishing and whaling emails, are sent out in bulk, often thousands at a time. Therefore, they are targeted at a general audience. Cybercriminals use this high-volume approach in the hope that a few unfortunate people will take the bait.
Spear phishing is a more targeted phishing attack. It can be used on its own or as part of an advanced persistent threat (APT) campaign. Instead of casting out thousands of emails in the hope of finding a few victims, spear phishers target select groups of people with something in common – they work at the same company, bank at the same financial institution, attend the same college, or order merchandise from the same website. The emails are ostensibly sent by organizations or individuals the potential victims would normally receive emails from, making them even more deceptive. This targeted approach can make spear phishing more effective, and therefore more damaging for its victims. (Read more about APT and the risks it poses in Advanced Persistent Threats: First Salvo in the Coming Cyberwar?)
Whaling takes things one step further. Whaling is a spear phishing attack targeted at senior corporate executives and business owners. The attacker may take months to research the company and find out as much as possible about the potential victim in order to craft the email in a way that seems legitimate to the recipient. Senior executives and business owners are targeted because they tend to have access to the most sensitive information within the company. Once their computer is compromised, the attackers have virtual carte blanche. And for the company, that is very bad news.
Examples of Whaling
One example of a particularly successful whaling campaign occurred in 2008 and involved sending official-looking subpoena emails to 20,000 senior corporate executives. The email indicated that the recipient was required to appear before a federal grand jury, and contained full name, company title, phone number and other pertinent information to trick the recipient into believing it was legitimate.
It worked; about one-tenth of the recipients clicked a link to view the entire document. The link took the recipient to a website that informed the victim that he or she had to install a browser add-on to view the subpoena. Instead, the website downloaded keylogger software that was able to secretly record the executives' login and password information. As a result, the companies were subject to hacking, some of which caused considerable damage. (For more on keyloggers, see Is FBI's Magic Lantern the Ultimate Keylogger?)
Another common strategy for a whaling attack is to exploit the well-known name of the Better Business Bureau (BBB). In this scam, attackers send emails to owners of small and medium-sized businesses claiming to be from a BBB official about a complaint that was filed against the company. One version of the email invites the recipient to click on a link to see the complaint, but, once again, the link downloads keylogger software or other malware designed to steal confidential information. The BBB regularly issues warnings to businesses about these scams. The problem is, it's often hard for victims to tell they're being scammed at all until it's too late.
How to Dodge a Harpoon
So what can companies to do protect themselves? Whaling poses a significant risk for companies, but the steps to prevent it are quite simple. The key is that companies need to be proactive and ensure that their employees follow a few common-sense rules. Here are a few guidelines for employees and executives to follow.
- Be Suspicious of Unsolicited Messages
Individuals should be suspicious of unsolicited phone calls or email messages asking about employees or other internal information. If an unknown person claims to be from a legitimate organization, his or her identity should be verified.
- Don't Provide Personal or Corporate Information
Individuals should not provide personal or corporate information, including about the company’s structure or networks, unless they are certain of a person's authority to have that information.
In addition, individuals should not reveal personal or financial information in an email and should not respond to email solicitations for this information. This includes following links sent in emails.
- Avoid Sending Sensitive Information Over the Internet
In general, especially sensitive information should not be sent via email or over the internet.
- Pay Attention to URLs
Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain, which could signal a phishing attempt.
- Verify Email Requests
If an employee receives a suspicious email, he or she should try to verify it by directly contacting the company from which the email was purportedly sent.
- Be Informed
Information about phishing and whaling attacks is also available online from groups such as the Anti-Phishing Working Group, a nonprofit industry and law enforcement association focused on eliminating the fraud, crime and identity theft that results from phishing, whaling and email spoofing of all types.
The Next Big Catch
Organized crime continues to show an interest in spear phishing and whaling. As long as criminals can make money conducting these attacks, they will continue. For example, although the BBB scams have been going on for a long time, they continue to occur on a regular basis, judging by the frequency of BBB warnings on the subject.
In addition, spear phishing and whaling have become a popular method for advanced persistent threat campaigns, which are often launched by groups with ties to foreign governments. They are designed to infiltrate a company or agency in order to steal sensitive information or valuable intellectual property. These actors spend a long time deciding the most effective way to infiltrate an organization. Targeting senior corporate executives and business owners is often the ticket.
As long as individuals can be tricked into opening malicious emails, the practice of whaling will continue. It is up to senior executives to educate themselves about the dangers of whaling and how to prevent their companies from becoming victims.