With targeted phishing attacks on the rise, it's no surprise that cybercriminals are doing their research and aiming at those with the most to lose -- executives.
According to security vendor MessageLabs, targeted phishing -- e-mail scams that are directed at certain employees at an organization or members of a group, also called spear phishing -- has grown significantly in the past two years. In 2005, the company would see roughly two targeted phishing e-mails per week; the company now sees roughly 10 per day, according to Paul Wood, senior analyst with MessageLabs.
Earlier this year, the company spotted two outbreaks of what is now being called whaling. In these scams, phishers find the name and e-mail address of a company's top executive or handful of executives -- often information freely available on the Web -- and craft an e-mail specific to those people and their role at the company. The e-mail attempts to lure the executives into clicking on a link that will bring them to a Web site where malware is downloaded onto their machine that can copy keystrokes or ferret out sensitive information or corporate secrets, according to Wood. The e-mails purport to be from the Better Business Bureau to alert the executives of a complaint posted on a Web site, or from a recruitment company or information about an invoice, Wood says.
In June, MessageLabs' hosted e-mail security service caught 514 e-mails bound for its customers all targeted at C-level executives in various organizations in a two-hour period. In September another blast consisted of 1,100 whaling attacks within 15 hours. The company believes the same organization is behind the blasts.
What's unique about whaling is its reliance on research and social engineering. Traditionally spam, and to some extent phishing, depends on reaching the greatest number of people with the smallest amount of effort, considering the response rate to these e-mail abuses tends to be miniscule but still enough to make the practice worth it. With whaling, the sender must do some upfront research about the target as well as the subject in order to craft an e-mail that sounds convincing, says Wood.
"It's really the social engineering that has tipped the balance now; now [phishers] are becoming much more technologically sophisticated as well as applying psychology to what they're doing," he says. "Now they conduct a lot of research before they attack, so it becomes much more difficult to recognize those attacks."
This is particularly true for executives who don't read their own e-mail, he adds. For example, if an assistant sees an e-mail in the CEO's in-box regarding and invoice, he may automatically forward it to the finance department, which then believes the e-mail is from the CEO, opens it, and clicks on the link.