Whaling Gets Real

Powered by social-networking sites and compromised corporate databases, super-targeted phishing attacks are moving from theory to practice. Here's how to understand this evolving information-security threat and protect your company and its executives

March 03, 2008 — CSO — For the last couple of years, security researchers have been sounding warnings that phishers could turn their attention to super-personalized attacks targeted at high-level corporate employees--so-called “whaling” attacks. Now, however, there’s growing evidence that this type of attack is moving from theory to practice. The reasons? The bad guys are getting better access to the information they need to bait these e-mails--both because they are getting better at mining databases on compromised corporate sites, and because employees are providing more useful information at networking sites such as LinkedIn and MySpace.

Once launched, the results of a whaling attack can be devastating. "It’s really effective," says Joe Stewart, senior security researcher for SecureWorks Inc., a managed security service provider based in Atlanta. "They’re hitting the high-level executives and getting access to these people’s entire workstations."

Like all “spearphishing” or targeted phishing attacks, whaling involves personal information, but in this case the targets are high-level, high-value individuals whose credentials, if compromised, can endanger an entire organization. The targets are carefully chosen, and the number of e-mails distributed is small. Where a massive phishing attack might involve billions of e-mails sent from botnets with a million zombies, whaling usually involves anywhere from a few dozen to a few thousand e-mails, which are sent from a botnet with perhaps 20,000 compromised computers. Conventional methods for identifying phishing attacks depend on spotting a lot of identical messages, so the small scale of whaling attacks makes them essentially invisible to Internet scanners.

"What allows them to fly under the radar is that they are so targeted," says Allan Paller, director of research at the SANS Institute. "If you only go after 20 companies, or 200 companies, nothing will pick up the attack.”

Because the targets have such high value, whalers can afford to go to very elaborate lengths to make their e-mails appear legitimate. The basis of a successful whaling attack is information about the intended victims--the more specific the better. At the very least, most whaling attacks involve the name and job of each potential victim, and the whalers will try to have more information than that.

The sources for all this information, Stewart says, are often databases at the victims’ companies or companies they do business with. The source of the information can even be other phishing attacks, which can lead to elaborate multi-step attacks.

A whaling e-mail may even include a working telephone number--something conventional phishing attacks never do.