Whaling Gets Real

Powered by social-networking sites and compromised corporate databases, super-targeted phishing attacks are moving from theory to practice. Here's how to understand this evolving information-security threat and protect your company and its executives

For the last couple of years, security researchers have been sounding warnings that phishers could turn their attention to super-personalized attacks targeted at high-level corporate employees--so-called “whaling” attacks. Now, however, there’s growing evidence that this type of attack is moving from theory to practice. The reasons? The bad guys are getting better access to the information they need to bait these e-mails--both because they are getting better at mining databases on compromised corporate sites, and because employees are providing more useful information at networking sites such as LinkedIn and MySpace.

Once launched, the results of a whaling attack can be devastating. "It’s really effective," says Joe Stewart, senior security researcher for SecureWorks Inc., a managed security service provider based in Atlanta. "They’re hitting the high-level executives and getting access to these people’s entire workstations."

Like all “spearphishing” or targeted phishing attacks, whaling involves personal information, but in this case  the targets are high-level, high-value individuals whose credentials, if compromised, can endanger an entire organization. The targets are carefully chosen, and the number of e-mails distributed is small. Where a massive phishing attack might involve billions of e-mails sent from botnets with a million zombies, whaling usually involves anywhere from a few dozen to a few thousand e-mails, which are sent from a botnet with perhaps 20,000 compromised computers. Conventional methods for identifying phishing attacks depend on spotting a lot of identical messages, so the small scale of whaling attacks makes them essentially invisible to Internet scanners.

"What allows them to fly under the radar is that they are so targeted," says Allan Paller, director of research at the SANS Institute. "If you only go after 20 companies, or 200 companies, nothing will pick up the attack.”

Because the targets have such high value, whalers can afford to go to very elaborate lengths to make their e-mails appear legitimate. The basis of a successful whaling attack is information about the intended victims--the more specific the better. At the very least, most whaling attacks involve the name and job of each potential victim, and the whalers will try to have more information than that.

The sources for all this information, Stewart says, are often databases at the victims’ companies or companies they do business with. The source of the information can even be other phishing attacks, which can lead to elaborate multi-step attacks.

A whaling e-mail may even include a working telephone number--something conventional phishing attacks never do. Typically, the number is a VOIP connection, which is hard to trace and easy to take down. Often a recording at the other end of the line will ask the victim for more information.

Another technique, Paller says, is to have the compromised machine that sent the whaling e-mail automatically respond to replies from the victims with a message assuring them that the attachment is safe to open. "They’ll say something like, ’Absolutely. You’ll love it,’" he says.

Attacks may take the form of a fake messages from a business partner about a "problem with our last order," or a request for specific information on a product feature. "These guys have shifted from telling to you do something [in general] to telling you to do something that is so close to what you do for a living that you can’t afford not to do it,” Paller says. “They’re weaving the attack into your job so tightly they don’t allow you to say no.”

This is all the more effective because non-IT executives are usually less security-conscious than other high-value targets such as network administrators. Also, the purpose of the whaling e-mail is usually not to collect personal information directly, but to plant malware, such as keyloggers that allow the attacker to gather data at leisure. Because the e-mail doesn’t ask for personal information such as credit card numbers, the victims are likely to feel the e-mail is innocuous.

Late last year SalesForce.com, the online CRM vendor, got hit with an attack that demonstrates how the multi-step version of whaling works. First, a SalesForce employee’s account was compromised by a phishing attack. Then, the attackers used the breach to invade customer accounts at SalesForce and harvest lists of customer contacts. The customer contact lists didn’t contain critical information such as Social Security numbers or passwords, but it did include personal details, such as names and titles, that were needed to tailor the e-mails. The third phase of the attack was spearphishing those stolen contact lists. The attackers sent out thousands of e-mails targeted at executives on the list.

Because of the stealth nature of whaling attacks, however, researchers say that the publicized examples are atypical. The SalesForce attack was spotted because the stolen database contained information on a large number of companies--many more than Paller says are usually involved in a whaling attack.

"The best advice I can give people is even if you get attachment from someone you know, mail them back and ask what they’re sending," Stewart says. "You’ve really got to be suspicious of these types of messages that seem to come from an authority figure. In that sense we have an easier job in user education. It comes to security team having a meeting of the executive team [and saying,] Be suspicious of anything you get. Run it by us."

Paller, however, warns that "education" in the form of seminars and lectures doesn’t work well in the long run; in fact, he says, it hardly works at all. Instead, he suggests a process he calls "inoculation," which involves repeatedly sending out fake whaling-type messages. "When [the user bites], [he or she] gets a message saying, ’Oops, you’ve just been had.’ You do that over and over again until people learn.”

Rick Cook is a freelance writer based in Phoenix.

--

The comment field below does not work. Please send your feedback to csoletters@cxo.com.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!