Whaling: Phishing for a Larger Catch

Whaling is the newest and most insidious practice in the hacker arsenal known as spear phishing. Unlike the wide net cast by phishing scams, spear phishing targets specific organizations or individuals. Attackers are after trade or military secrets, financial information, and other confidential data that can be exploited for profit. Whaling escalates the cyber threat level by targeting senior executives and other leaders in key positions of influence.

How Spear Phishing Works

A spear phishing ploy usually masquerades as an email from a trusted source such as a company department or employee in a position of authority. For example, staff handling sensitive financial data may receive what appears to be a request from the IT department asking them to login and reset their passwords. The attackers use malware or a fake website to capture the credentials and gain privileged access to the organization’s network.

Most employees are aware of malicious spam, and spear phishing tactics have become more sophisticated as a result. A successful attack depends on convincing the target of the message’s authenticity. The email appears legitimate and has a reasonable rationale such as a directive from the company payroll department. The message further builds trust by including relevant and specific information that seems confidential. In reality, this information is usually obtainable through public sources such as business directories.

Whaling to Harpoon the Big Fish

Corporate data harbors significant profit opportunities, and attackers have upped the spear phishing game to target senior executives and other influential personnel. Whaling is the practice of pursuing upper management and their access to sensitive information. A successful attack can yield executive passwords and other account details that can open up corporate hard drives, networks, and even bank accounts. Further, some whaling campaigns target secret military and other government information.

Whaling uses the same techniques as other spear phishing attacks but tailors them to specific recipients in positions of high authority. An email targeting CEOs, for instance, is uniquely addressed to each individual. It is well-written, looks and sounds professional, and may have the logo of a familiar entity such as the Better Business Bureau or the FBI. The senders address resembles that of a known person or organization and may even mimic the address of a trusted employee or business associate such as a client or legal firm. Equally as important, the communication hooks the reader with a sensitive business matter that requires an immediate response.

Spearing the Big Catch

The subject of a whaling email concerns a matter critical to the company and that logically requires the intervention of senior management. Often these take the form of subpoenas and other urgent legal actions, VIP customer complaints, or matters of critical company policy. An infamous example is the 2008 whaling attack that masqueraded as a federal subpoena. The official-looking email instructed CEOs to click a link to download special software with which to view the subpoena. Of the 20,000 estimated recipients, about 10 percent responded and unwittingly downloaded a key logger that captured passwords and other sensitive data and sent it back to the phishers. Armed with access, the phishers launched further attacks against those companies.

A whaling email includes a call to action to open a file, download an attachment, or click on a link. By doing so, the executive unleashes embedded code that gives the hacker access to sensitive information. The code may allow the attacker to remotely control a computer or log keystrokes. Clicking a link takes the executive to a fake website that prompts the user to enter login credentials or financial details in order to access a document, service, or software download. The fake website is designed to look convincingly like the site of the organization it is emulating.

Whaling Warning Signs

Whaling communications prey on managers fears in order to provoke action. Managers who receive emails with urgent calls to action involving confidential data should evaluate them for red flags:

• The email requires a download or website visit in order to view an official document.
• The senders address is similar but not identical to a familiar one.
• The email refers to an urgent matter, such as a legal proceeding, that the executive has never heard of.
• A website requesting personal data does not use encryption. Although a site’s appearance is no guide to its authenticity, lack of encryption is a danger sign.
• The communication contains supposedly confidential information that in reality is publicly available.

If the recipient cannot quickly verify an email’s authenticity through the purported source, the next call should be to IT Security. It is better to postpone addressing an urgent message than to unleash hacker havoc at the highest levels of an organization.

Along with plundering the private sector, whaling has crossed the line into international espionage. As with traditional spying, the campaigns use technology and social engineering to dupe key individuals into revealing what the attacker wants. Security experts and executives must arm themselves with the means to identify increasingly subtle attacks.