Threat Watch
Whaling Gets Real
Powered by social-networking sites and compromised corporate databases, super-targeted phishing attacks are moving from theory to practice. Here's how to understand this evolving information-security threat and protect your company and its executives
By Rick Cook
Typically, the number is a VOIP connection, which is hard to trace and easy to take down. Often a recording at the other end of the line will ask the victim for more information.
Another technique, Paller says, is to have the compromised machine that sent the whaling e-mail automatically respond to replies from the victims with a message assuring them that the attachment is safe to open. "They’ll say something like, ’Absolutely. You’ll love it,’" he says.
Attacks may take the form of a fake messages from a business partner about a "problem with our last order," or a request for specific information on a product feature. "These guys have shifted from telling to you do something [in general] to telling you to do something that is so close to what you do for a living that you can’t afford not to do it,” Paller says. “They’re weaving the attack into your job so tightly they don’t allow you to say no.”
This is all the more effective because non-IT executives are usually less security-conscious than other high-value targets such as network administrators. Also, the purpose of the whaling e-mail is usually not to collect personal information directly, but to plant malware, such as keyloggers that allow the attacker to gather data at leisure. Because the e-mail doesn’t ask for personal information such as credit card numbers, the victims are likely to feel the e-mail is innocuous.
Late last year SalesForce.com, the online CRM vendor, got hit with an attack that demonstrates how the multi-step version of whaling works. First, a SalesForce employee’s account was compromised by a phishing attack. Then, the attackers used the breach to invade customer accounts at SalesForce and harvest lists of customer contacts. The customer contact lists didn’t contain critical information such as Social Security numbers or passwords, but it did include personal details, such as names and titles, that were needed to tailor the e-mails. The third phase of the attack was spearphishing those stolen contact lists. The attackers sent out thousands of e-mails targeted at executives on the list.
Because of the stealth nature of whaling attacks, however, researchers say that the publicized examples are atypical. The SalesForce attack was spotted because the stolen database contained information on a large number of companies--many more than Paller says are usually involved in a whaling attack.
"The best advice I can give people is even if you get attachment from
Data Center Directions Virtual Conference
Attend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.
Maximizing Site Visitor Trust Using Extended Validation SSL
Now with Extended Validation (EV) SSL available from VeriSign, you can show your customers that they can trust your site. Learn about EV SSL benefits in the free VeriSign white paper.
- The Latest Advancements in SSL Technology
- Maximizing Site Visitor Trust Using Extended Validation SSL
- How to Offer the Strongest SSL Encryption
- Solving Online Credit Fraud Using Device Reputation
- Forrester Reports 321% ROI Through Device-Based Fraud Management
- Enterprise Management Associates: Taking the Botnet Threat Seriously
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
7th Annual Digital ID World
-
September 8 - 10, 2008Hilton AnaheimRegister now »
Anaheim, California
(ISC)2 members can earn up to 20 CPE Credits
Reference priority code ONLINE and save $800 off the full registration price — attend the program for $995
