Phishing attacks can come in many different forms. By now, the risks associated with phishing and targeted spear-phishing attacks are well known and documented throughout the security industry. Perhaps what’s often overlooked are hidden threats related to phishing. Today, phishing goes far beyond Nigerian wire transfer scams rife with poor grammar. Although we still see newer variations of the old 419 scam still being used, we also see an increase in highly-evolved campaigns targeting corporate executives or government officials.
What Exactly is Whaling & Why is it Successful?
Similar to spear phishing, whaling is a highly targeted attack that goes after an organization’s “big phish.” Big phish are high-value individuals whose credentials or access to resources, if compromised, could endanger the entire business. In whaling attacks, big phish are carefully chosen because of their position within the organization. Whaling attacks also may differ from phishing attacks in terms of scope. The number of emails distributed is very small compared to a massive phishing campaign that might involve hundreds, thousands, tens of thousands, or more e-mails being sent. Whaling attacks can be more difficult to detect because they are stealthier and fewer in number. Attackers favor senior executives, high-level officials in private businesses, or even those with privileged access to government information.
Often the content of whaling emails is high level, specifically designed for senior management, and can even take the form of an official report, containing highly confidential information. Sometimes emails can contain extremely personal content certain to appeal to the individual. Whalers also make proper use of corporate logos and leverage real, spoofed phone numbers. Because of the high-value targets, whalers can afford more time and effort into crafting the attack for far higher chances of success.
Unfortunately, any executive with high-level corporate access runs the risk of being targeted in a whaling attack. To complicate matters, executives who have not had proper training will often not be as keen at picking out seemingly legitimate email-based attacks. Due to dispersed geographic location and a plethora of tools used for communication (email, IM, Skype, Dropbox, LinkedIn, Lync, Google+, etc.) there is a decrease in personal interaction and an increase in new attack vectors to carry out whaling attacks.
Social Media – Foundation for a Whaling Attack
The foundation of a successful whaling attack is information about the intended victim. Powered by corporate databases and social networking sites, any bit of information an attacker can find will be useful. At the very minimum, most whaling attacks involve the name, job, and some very basic details about the targets however, whalers will try to have more than just the basic information. For example, if a whaler can find out about a specific hobby or charity that an executive is involved with, the attacker can craft a personal email that the unsuspecting victim is highly likely to click. Executives with open, public profiles are ground zero for whaling attacks. Whalers can use birthdates, addresses, obituary notifications, and more to siphon information on targets and entice them to click. The source of information, however, is not limited to OSINT. Sometimes attackers will target third-party companies to get their foot in the door or even begin with a phishing attack to gather general information that can be used to escalate an attack to primary targets.
Whaling attacks are a very targeted type of phishing attack, and phishing attacks aren’t going away anytime soon – they’re far too effective. A recent McAffee quiz presented 10 email messages, which were a mixture of genuine messages and phishing campaigns to test business users’ ability to detect online scams, and a whopping 80% of participants failed to detect at least one of seven phishing emails. When armed with real information, these types of attacks are extremely difficult for the uneducated user to detect.
What Can You do to Stop Corporate Whaling?
First and foremost, every corporate executive should have their social media profiles locked down. This doesn’t mean refrain from using social media, but it does mean implementing privacy restrictions to prevent unknown individuals from viewing what could be sensitive information. If for some reason your job means you have to be in the public eye, then at the very least you need to be educated on how that information can be used against you.
It’s recommended that all corporate information security professionals and red teams have an accurate idea of what open source intelligence is out there that could potentially be used against the organization. If you are unsure where to even start with this, contact our team to discuss how you can conduct and benefit from a social engineering risk assessment.
Traditionally, the security industry has focused on technical attacks that lead to breaches, but it’s high time for organizations to focus on the tactics and techniques attackers may use to circumvent technical controls. A good place to start is with the assessment of your organization’s overall susceptibility to phishing attacks to determine a baseline. Our team here at Social-Engineer, LLC is dedicated to security through education. Contact us today to learn more about how a managed phishing program can be carefully crafted to fit your organization’s unique needs.