'Whaling' threats target the big fish of the corporate world
- 10 September, 2008 14:50
The proliferation and popularity of collaborative Web 2.0 sites – there are around 250,000 new registrations to Facebook everyday – has changed the threat landscape and the way businesses need to think about security. Each year, newer technologies and weapons are being unleashed to leave Web users surprised, annoyed and at greater risk.‘Whaling’ or ‘spear phishing’, is one such threat and refers to phishing scams which specifically target high-worth individuals.
According to a recent report by iDefense Labs , a noted security and vulnerability research organization, there were 66 distinct spear phishing attacks in the US between February 2007 and June 2008, with the rate of attacks continuing to accelerate. The report goes on to say that spear phishing groups have claimed more than 15,000 corporate victims in 15 months, with victims’ losses exceeding US$100,000 in some cases. Victims include Fortune 500 companies, financial institutions, government agencies and legal firms.
Whaling scams leverage social engineering techniques and contain personal details to trick individuals into thinking the e-mail is genuine. This is an evolution from simple phishing, where e-mails are sent at random, to a much more targeted approach, whereby victims are picked according to their status and supposed wealth. Scammers target these high-level executives through their work e-mail addresses to improve their credibility and include information such as a direct dial telephone number or job title. By making the e-mails seem legitimate rather than looking obviously like spam, these whalers are hoping executives will disclose their bank details and home addresses or will click a link to install malware on their computer.
To emphasise how organised whaling is becoming and the seriousness of the matter, it has been proven that over 95 per cent of whaling attacks are known to have been carried out by just two independent criminal groups . One installs a Browser Helper Object and the other installs a keylogger, both of which perform man-in-the-middle attacks, capable of defeating two-factor authentication. This would involve overcoming two safeguards, such as a password and random memorable security token number.
Page Break
High-profile incidents
Some recent whaling scams seemed so genuine that the organisations being quoted as the sender have had to refute this and urge the public not to act on the suspect e-mails. A recent high profile example was when e-mails were sent to US executives claiming to be court subpoenas. The bogus e-mails contained links which, if clicked on, installed software allowing hackers to take control of computers and access passwords or other sensitive data. The e-mails included the seal of the US federal court in San Diego, the executive’s name, company’s address and even the correct phone number. The e-mails were made to appear even more believable as both the e-mail address and website links looked very similar to those of the legitimate US court. Whoever these whalers were, they were successful, with the e-mails experiencing a very high click-through rate.
Social engineering and social networking sites
How are these cyber-criminals getting hold of such precise personal and business information? The black market for stolen data is now a well developed and established practice, but now a new method is emerging – using information gleaned from social and business networking sites. Users of these sites regularly display birth dates, e-mail addresses, job titles as well as information about where they live and their family, friends and work colleagues – all of which can be used in a phishing or whaling scam.
In the large majority of cases users are unaware of the size or nature of the audience accessing their profile data and the sense of intimacy created by being among ‘digital friends’ can often lead to users disclosing highly valuable and marketable information.
Originally users of internet networking sites were the younger generation, who did not hold a great deal of appeal for those cyber-criminals hoping to cash in on their scams. Yet over the past couple of years, the boom in social and business networking sites like Facebook and LinkedIn, has seen older users with established careers joining up. These are the "big fish" whalers are hoping to land, and the reason the volume of whaling attacks continues to increase.
What is more, while it is likely phishers have been looking at social networking sites for sometime, it is only recently that the cyber-criminals’ attention has been drawn to LinkedIn and other business networking sites. Whalers have started targeting their victims directly through these sites in so-called ‘419 scams’, which used to be conducted via e-mail. Business networking sites enable whalers to target VPs, MDs and C-level executives because the information is right there in front of them.
Whaling statistics
- Between February 2007 and June 2008, malicious code from the 66 whaling/spear phishing attacks which occurred, targeted over 50 financial institutions in the US
- Attacks are often well timed to coincide with events such as tax day, Microsoft Patch Tuesday and month-end
- The malicious payload is split 50/50 between links and attachments
- For more than 12 months, the malicious code is capable of defeating most two-factor authentication systems
- Attack volume reached new highs in April and May of 2008 with ten and nine attacks, respectively
- Attacks in May 2008 alone have netted over 2,000 victims
Page Break
Vigilance is key
Cyber criminals will capitalise on every opportunity to exploit these new Web 2.0 technologies to commit fraud or extortion. Common sense is the biggest weapon against whaling, however scammers are employing increasingly sophisticated social engineering techniques and some of these scams can prove all too tempting, even to those who should know better. Human fallibility cannot be removed from the equation, so instead executives must be vigilant online. This is something that comes a little harder to the older generation, who are often less familiar with cyberspace and Web 2.0 technologies.
This link between business and social networking sites means caution is needed on two fronts. First, executives should be wary of accepting business contacts, even if they look legitimate. Secondly, it is sensible to include only minimal personal information on any networking site – you wouldn’t stand in the street handing out your data to everyone who walked past, so why display this information on networking sites?
The employer’s role
Businesses need to take a role here in ensuring employees are protected against these attacks. First employers need to implement comprehensive content security in order to control and manage both inbound and outbound traffic and to prevent whaling e-mails getting through to the intended victims. Over 15 different spam templates have been used by two criminal groups in the first half of 2008 alone, however, security solutions such as Clearswift’s anti-spam content analysis have provided effective defence on those occasions where the templates became known. Secondly, businesses must take on an educational role by having e-mail and Internet policies in place which govern the rules of usage but also educate employees on possible threats. Both an employer and employee must take on the responsibility to keep personal details safe and secure and out of the hands of cyber-criminals.
Tips to avoid getting hooked
- Never click on a URL in a suspicious e-mail and never copy and paste a suspicious URL into the browser – it is likely the website will be riddled with malware which will install itself onto your computer.
- Beware of e-mails which ask for confidential information, such as bank details or passwords. If you receive requests of this nature, call to check that the request is legitimate.
- Be aware that banks and government organisations will usually communicate through post or phone, rather than e-mail.
- Never respond to generic-looking requests for information. If your bank or ISP does communicate over e-mail, these e-mails should directly address you or your account.
- Never use forms embedded within e-mail messages to disclose confidential information – communicate the information via phone or a known legitimate website instead.
- Don't be pressured into divulging information. Whalers will try to scare their victims by pressuring them into submitting confidential data. They may threaten to disable an account or delay services until information is received. Always check with the organisation named by phone to see if the request is genuine.
- Make sure a website is secured and is displaying a valid security symbol before entering confidential information via this site – a website’s address beginning with https doesn't necessarily mean the site is secure. Phishers may use URL masking techniques to mimic the secure address of an authentic company.
- Check regularly for patches and upgrades to keep your browser and operating system up to date.
- Ensure your computer is fully protected and make sure your security tools are comprehensive enough to protect against all online threats from whaling to viruses to nuisance spam.
Pete Simpson is a ThreatLab Manager at security solution provider Clearswift.