Last year, a senior executive in charge of customer satisfaction at his company opened an email with the subject "customer complaint" that appeared to be sent from the Better Business Bureau. He followed a link to see details of the complaint.
"If he had stopped to examine the URL carefully, he would have seen that it was a trap", known as a whaling attack and based on spear-phishing techniques, intended to gather information about the company, says Jonathan Gossels, president of SystemExperts, a security consulting firm. "But during a busy work day, that hardly happens."
In another recent case, an attacker researched the background of a systems administrator, then sent him an email about a reduced premium healthcare plan for families of four or more. This appealed to the administrator, who has five children, and enticed him to open the attached form. The form had embedded malware that compromised the target's computer and gave the attacker a foothold into his corporate network. It also allowed the attacker to impersonate the administrator and garner sensitive information about the company's operations, says Rohyt Belani, CEO of Intrepidus Group, a security consulting and training firm.
These whaling attacks are a form of personalised phishing, or spear phishing, aimed at senior executives or others in an organisation who have access to lots of valuable or competitive information. While phishers generally go after consumers for bank account data, passwords, credit card numbers and the like for financial gain, whalers most often target people who have inside information or can provide ongoing access to systems. Thus, the cost of being harpooned can be huge.
Whaling attacks are harder to detect than phishing expeditions. There's no obvious signature to detect as in phishing, such as seeing hundreds of copies of a phishing email enter your server. Whaling attacks are also hard to defend against because they often play on executives' feelings and sense of self importance.
And security experts say these types of attacks are on the rise.
"As more private information becomes public, through social media sites and otherwise, targeting specific individuals within companies has become easier for hackers and thus a preferred method of attack," says Kim Peretti, a director in the forensic services practice at the PricewaterhouseCoopers consulting firm.
"This proliferation of information on individuals: where they work, with whom they interact socially and professionally, what conferences they attend, when and where they vacation, has enabled hackers to determine not only which individuals at companies may hold the keys to the kingdom, but also to which messages these [people] are most likely be duped into responding," Peretti says.
What can you do to protect your corporate whales from getting harpooned? Follow these five best practices, experts say.
1. Learn what a whaling attack is and how to identify actual threats and attacks
How do you know if you're the target of a whaling attack? Unfortunately, if the whaler has done lots of research and effectively copied the signature and other known characteristics of your email, you generally won't know you're being attacked because there really aren't any obvious tell tale signs, says Robert Siciliano, a security consultant and identity theft expert.
Still, there are things you can look out for, Siciliano says. Watch for odd requests, links that don't make sense to normal everyday communications, and attachments that are not generally sent by the purported sender. If you get an email that appears to be sent by a colleague but seems suspicious, check with the person to make sure he or she actually sent it, says Intrepidus's Belani. And keep in mind that some of the most common whaling techniques involve emails purportedly sent from one member of the executive management team to another.
In general, always be suspicious of unsolicited email. "Never click through links in an email message from someone you don't know, unless you initiated the email exchange," says SystemExperts' Gossels. "You should be suspicious when an email message sender knows too much about you."
2. Make your executives take the time to learn how to avoid being harpooned
No matter how busy executives might be, or how much they resist going through security awareness instruction, they need to attend training sessions on a regular basis.
This includes instruction on what to look for in suspicious emails, as well as how to identify in-person whaling attacks, where an individual who might appear trustworthy gathers information over a period of months that can be used to access corporate systems.
Most executives exclude themselves from periodic security awareness exercises, even though they're the very people who should be conditioned doubly hard to thwart targeted phishing attacks, Belani says.
Make it mandatory that not only executives take training, but also their administrative assistants, who can play a key role in thwarting attacks targeting their bosses. Training sessions don't have to be excruciatingly boring for attendees. Consider including videos of simulated social engineering schemes, or have the security team act out such a scenario.
In addition to providing training, keep people continuously informed about whaling threats and incidents. Ocean Bank sends out monthly "security awareness" bulletins to everyone in the organisation, advising people about threats such as whaling, phishing and malware, with tips on how to avoid them.
"We keep them constantly aware, so if they're targeted they will know and report it back to us," says Sergio Pinon, senior vice president of security for the Florida bank and chairman of the Financial Institution Security Association. But be sure to keep these updates short and simple. If they're too lengthy, most people won't bother to read them.
Aside from training people in how to avoid being a whaling victim, reiterate the importance of protecting valuable data such as intellectual property. According to the 2011 Data Breach Investigations report conducted by the Verizon Risk Team, US Secret Service and Dutch High Tech Crime unit, recently there have been more targeted attacks at specific types of data that aren't typically stolen in bulk, such as certain varieties of sensitive organisational data and intellectual property.
3. Do your own penetration testing and social engineering
How well did attendees of security training classes pay attention to what they heard? Why not find out by running some tests?
Owen McCusker, principal analyst at Sonalysts, a security consulting firm, says some of his firm's clients follow up their training with an "inoculation process," in which administrators send out emails that include characteristics of known whaling attacks to handpicked individuals, to see how they react. If they respond to the message, they get a reply alerting them of their failure to follow the instructions of the training sessions.
Patricia Titus, chief information security officer at technology services provider Unisys, says in a previous job as CISO at the Transportation Security Administration, she and her staff periodically called people in the organisation at random to try to socially engineer them into giving up information they should not be sharing. She plans to conduct similar activities at Unisys.
These inside attacks tend to get the point across. "Once you do it, everyone hears that story, and it shows that we really do care about this stuff," says Titus, who has been the target of a whaling attack from outside. "We want a security-minded workforce." She says the tests are not just aimed at senior executives, but at workers such as help desk employees who have access to information such as system passwords.
In addition to periodic testing, the Unisys security team conducts individual consulting with people who are repeat offenders of security policy. There might be a root cause of why people are performing notable behaviours, Titus says, so instead of just saying they can't go to certain sites or blocking access, the security team analyses why the activity is happening. Eighty percent of the time, it's happening out of ignorance, she says.
4. Use common sense with social networking
Facebook, LinkedIn and other social networking sites have become valuable tools for building business contacts and for online collaboration and recruiting. But they're also places where whalers go to gather information that they can use in attacks.
"The criminals behind whaling are doing their research on company websites, finding key individuals to pose as and following up their research on Facebook and LinkedIn to make the phishing emails more personal," says independent consultant Siciliano.
Some companies ban business use of social networking outright. For example, Ocean Bank doesn't allow employees to use sites such as Facebook and YouTube for any work purposes, and it blocks access to these sites from its corporate network. When people need access to social networking sites from work, they must first gain permission from the information security department, says Ocean Bank's Pinon. This applies even to senior executives.
For most organisations, blocking or curbing social media activity is not realistic. Still, there are things you can do to avoid helping out the whalers. As websites such as LinkedIn recommend, don't link to people you don't know or trust whoever sends an invite, even if it sounds like a potential customer or business partner.
Be sensible about what you post: "Not revealing too much information on the publicly visible portions of social networking profiles can help significantly," says Intrepidus's Belani. "If an attacker is able to determine from someone's Facebook profile, without being connected as a friend, where they grew up, their marital status, date of birth, etc., they can craft a message that is very appealing and win over their confidence easily to act on the email link."
Practice safe browsing to avoid viruses and keystroke capture programs, says SystemExperts' Gossels: Keep your antivirus/malware detection software up to date, keep your browser updated to automatically block known attacks and known bad sites, separate work and play (consider using a separate browser for each) and if you must download content be sure to scan it for malware before running it.
5. Use security technology to help thwart attacks
Sure, whalers can get around some security systems. But companies should still take advantage of the capabilities of available security technology such email-embedded digital signatures. The use of digitally signed email allows people to create their own trusted contacts and can increase the privacy of the their emails, says Sonalyst's McCusker. Other security tools, such as spam filters, firewalls and intrusion detection and prevention systems, can help incrementally reduce the threat, he says.
Event aggregation and correlation products can be used to identify whaling and related behavioural activities. Emerging intelligent response tools such as Mandiant's Intelligent Response agent can help minimise the impact of a whaling attack after it occurs.
"Response technologies provide actionable and collective intelligence that can increase an organisation's ability to mitigate whaling-based attacks and decrease the time to recover their critical business processes [and] decrease their chances for reinfection after the first attack," McCusker says.
Some security products such as firewalls can be fine tuned with additional rule sets to look out for potential whaling activities and other suspicious anomalies, McCusker says. Security forensics systems can also be used to analyse what took place during an attack, so companies can be aware of an ongoing attempt to compromise corporate systems, he says.
But as security columnist Roger A. Grimes notes, you can't rely on automated security tools to safeguard your user, information and network, you have to do hands-on investigation and monitoring as well.
Whaling is a serious threat that preys on users' benign faith
Experts say whaling should be taken seriously as a threat. "Most of us go through life feeling that we are anonymous, just another face in a crowd and that no one is specifically watching us," says SystemExperts' Gossels. "Whaling preys on that human trait. It takes only seconds to learn names, roles, email addresses and phone numbers. Suddenly, someone is capable of watching you and you don't know it."
To reduce the chances of being whaling victims, those in key roles need to recognise that they are potential targets and behave defensively.