Threats from the Internet are intensifying, leaving both businesses and individuals worried, and security architects working round the clock to ensure a safe virtual world. Each year, newer technologies and weapons are being unleashed to leave Web users surprised, annoyed and at greater risk.
The proliferation and popularity of collaborative Web 2.0 sites – there are around 250,000 new registrations to Facebook everyday – has changed the threat landscape and the way businesses need to think about security.
‘Whaling’ or ‘spear phishing’, is one such threat and refers to phishing scams which specifically target high-worth individuals. According to a recent report by iDefense Labs , a noted security and vulnerability research organization, there were 66 distinct spear phishing attacks in the US between February 2007 and June 2008, with the rate of attacks continuing to accelerate.
The report goes on to say that spear phishing groups have claimed more than 15,000 corporate victims in 15 months, with victims’ losses exceeding $100,000 in some cases.
Victims include Fortune 500 companies, financial institutions, government agencies and legal firms. Whaling scams leverage social engineering techniques and contain personal details to trick individuals into thinking the e-mail is genuine. This is an evolution from simple phishing, where e-mails are sent at random, to a much more targeted approach, whereby victims are picked according to their status and supposed wealth.
Scammers target these high-level executives through their work e-mail addresses to improve their credibility and include information such as a direct dial telephone number or job title. By making the e-mails seem legitimate rather than looking obviously like spam, these whalers are hoping executives will disclose their bank details and home addresses or will click a link to install malware on their computer.
To emphasise how organised whaling is becoming and the seriousness of the matter, it has been proven that over 95 per cent of whaling attacks are known to have been carried out by just two independent criminal groups.
One installs a Browser Helper Object and the other installs a keylogger, both of which perform man-in-the-middle attacks, capable of defeating two-factor authentication. This would involve overcoming two safeguards, such as a password and random memorable security token number.
Some recent whaling scams seemed so genuine that the organisations being quoted as the sender have had to refute this and urge the public not to act on the suspect e-mails. A recent high profile example was when e-mails were sent to US executives claiming to be court subpoenas. The bogus e-mails contained links which, if clicked on, installed software allowing hackers to take control of computers and access passwords or other sensitive data.
The e-mails included the seal of the US federal court in San Diego, the executive’s name, company’s address and even the correct phone number. The e-mails were made to appear even more believable as both the e-mail address and website links looked very similar to those of the legitimate US court. Whoever these whalers were, they were successful, with the e-mails experiencing a very high click-through rate.