The proliferation and popularity of collaborative Web 2.0 sites – there are around 250,000 new registrations to Facebook everyday – has changed the threat landscape and the way businesses need to think about security. Each year, newer technologies and weapons are being unleashed to leave Web users surprised, annoyed and at greater risk.‘Whaling’ or ‘spear phishing’, is one such threat and refers to phishing scams which specifically target high-worth individuals.
According to a recent report by iDefense Labs , a noted security and vulnerability research organization, there were 66 distinct spear phishing attacks in the US between February 2007 and June 2008, with the rate of attacks continuing to accelerate. The report goes on to say that spear phishing groups have claimed more than 15,000 corporate victims in 15 months, with victims’ losses exceeding US$100,000 in some cases. Victims include Fortune 500 companies, financial institutions, government agencies and legal firms.
Whaling scams leverage social engineering techniques and contain personal details to trick individuals into thinking the e-mail is genuine. This is an evolution from simple phishing, where e-mails are sent at random, to a much more targeted approach, whereby victims are picked according to their status and supposed wealth. Scammers target these high-level executives through their work e-mail addresses to improve their credibility and include information such as a direct dial telephone number or job title. By making the e-mails seem legitimate rather than looking obviously like spam, these whalers are hoping executives will disclose their bank details and home addresses or will click a link to install malware on their computer.
To emphasise how organised whaling is becoming and the seriousness of the matter, it has been proven that over 95 per cent of whaling attacks are known to have been carried out by just two independent criminal groups . One installs a Browser Helper Object and the other installs a keylogger, both of which perform man-in-the-middle attacks, capable of defeating two-factor authentication. This would involve overcoming two safeguards, such as a password and random memorable security token number.