'Whaling' threats target the big fish of the corporate world

Whaling has increasingly been in the news thanks to the ingenious ways a new breed of phishermen collect data to carry out scams and the move towards targeting business networking sites.

The proliferation and popularity of collaborative Web 2.0 sites – there are around 250,000 new registrations to Facebook everyday – has changed the threat landscape and the way businesses need to think about security. Each year, newer technologies and weapons are being unleashed to leave Web users surprised, annoyed and at greater risk.‘Whaling’ or ‘spear phishing’, is one such threat and refers to phishing scams which specifically target high-worth individuals.

According to a recent report by iDefense Labs , a noted security and vulnerability research organization, there were 66 distinct spear phishing attacks in the US between February 2007 and June 2008, with the rate of attacks continuing to accelerate. The report goes on to say that spear phishing groups have claimed more than 15,000 corporate victims in 15 months, with victims’ losses exceeding US$100,000 in some cases. Victims include Fortune 500 companies, financial institutions, government agencies and legal firms.

Whaling scams leverage social engineering techniques and contain personal details to trick individuals into thinking the e-mail is genuine. This is an evolution from simple phishing, where e-mails are sent at random, to a much more targeted approach, whereby victims are picked according to their status and supposed wealth. Scammers target these high-level executives through their work e-mail addresses to improve their credibility and include information such as a direct dial telephone number or job title. By making the e-mails seem legitimate rather than looking obviously like spam, these whalers are hoping executives will disclose their bank details and home addresses or will click a link to install malware on their computer.

To emphasise how organised whaling is becoming and the seriousness of the matter, it has been proven that over 95 per cent of whaling attacks are known to have been carried out by just two independent criminal groups . One installs a Browser Helper Object and the other installs a keylogger, both of which perform man-in-the-middle attacks, capable of defeating two-factor authentication. This would involve overcoming two safeguards, such as a password and random memorable security token number.

Tags whaling

Comments

Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Endpoint Security

Safeguard your corporate and roaming employee endpoints and mobile devices.

Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.