High-profile incidents
Some recent whaling scams seemed so genuine that the organisations being quoted as the sender have had to refute this and urge the public not to act on the suspect e-mails. A recent high profile example was when e-mails were sent to US executives claiming to be court subpoenas. The bogus e-mails contained links which, if clicked on, installed software allowing hackers to take control of computers and access passwords or other sensitive data. The e-mails included the seal of the US federal court in San Diego, the executive’s name, company’s address and even the correct phone number. The e-mails were made to appear even more believable as both the e-mail address and website links looked very similar to those of the legitimate US court. Whoever these whalers were, they were successful, with the e-mails experiencing a very high click-through rate.
Social engineering and social networking sites
How are these cyber-criminals getting hold of such precise personal and business information? The black market for stolen data is now a well developed and established practice, but now a new method is emerging – using information gleaned from social and business networking sites. Users of these sites regularly display birth dates, e-mail addresses, job titles as well as information about where they live and their family, friends and work colleagues – all of which can be used in a phishing or whaling scam.
In the large majority of cases users are unaware of the size or nature of the audience accessing their profile data and the sense of intimacy created by being among ‘digital friends’ can often lead to users disclosing highly valuable and marketable information.
Originally users of internet networking sites were the younger generation, who did not hold a great deal of appeal for those cyber-criminals hoping to cash in on their scams. Yet over the past couple of years, the boom in social and business networking sites like Facebook and LinkedIn, has seen older users with established careers joining up. These are the "big fish" whalers are hoping to land, and the reason the volume of whaling attacks continues to increase.
What is more, while it is likely phishers have been looking at social networking sites for sometime, it is only recently that the cyber-criminals’ attention has been drawn to LinkedIn and other business networking sites. Whalers have started targeting their victims directly through these sites in so-called ‘419 scams’, which used to be conducted via e-mail. Business networking sites enable whalers to target VPs, MDs and C-level executives because the information is right there in front of them.
Whaling statistics
- Between February 2007 and June 2008, malicious code from the 66 whaling/spear phishing attacks which occurred, targeted over 50 financial institutions in the US
- Attacks are often well timed to coincide with events such as tax day, Microsoft Patch Tuesday and month-end
- The malicious payload is split 50/50 between links and attachments
- For more than 12 months, the malicious code is capable of defeating most two-factor authentication systems
- Attack volume reached new highs in April and May of 2008 with ten and nine attacks, respectively
- Attacks in May 2008 alone have netted over 2,000 victims