For the last couple of years, security researchers have been sounding warnings that phishers could turn their attention to super-personalized attacks targeted at high-level corporate employees--so-called \u201cwhaling\u201d attacks. Now, however, there\u2019s growing evidence that this type of attack is moving from theory to practice. The reasons? The bad guys are getting better access to the information they need to bait these e-mails--both because they are getting better at mining databases on compromised corporate sites, and because employees are providing more useful information at networking sites such as LinkedIn and MySpace.Once launched, the results of a whaling attack can be devastating. "It\u2019s really effective," says Joe Stewart, senior security researcher for SecureWorks Inc., a managed security service provider based in Atlanta. "They\u2019re hitting the high-level executives and getting access to these people\u2019s entire workstations."Like all \u201cspearphishing\u201d or targeted phishing attacks, whaling involves personal information, but in this case\u00a0 the targets are high-level, high-value individuals whose credentials, if compromised, can endanger an entire organization. The targets are carefully chosen, and the number of e-mails distributed is small. Where a massive phishing attack might involve billions of e-mails sent from botnets with a million zombies, whaling usually involves anywhere from a few dozen to a few thousand e-mails, which are sent from a botnet with perhaps 20,000 compromised computers. Conventional methods for identifying phishing attacks depend on spotting a lot of identical messages, so the small scale of whaling attacks makes them essentially invisible to Internet scanners."What allows them to fly under the radar is that they are so targeted," says Allan Paller, director of research at the SANS Institute. "If you only go after 20 companies, or 200 companies, nothing will pick up the attack.\u201dBecause the targets have such high value, whalers can afford to go to very elaborate lengths to make their e-mails appear legitimate. The basis of a successful whaling attack is information about the intended victims--the more specific the better. At the very least, most whaling attacks involve the name and job of each potential victim, and the whalers will try to have more information than that.The sources for all this information, Stewart says, are often databases at the victims\u2019 companies or companies they do business with. The source of the information can even be other phishing attacks, which can lead to elaborate multi-step attacks.A whaling e-mail may even include a working telephone number--something conventional phishing attacks never do. Typically, the number is a VOIP connection, which is hard to trace and easy to take down. Often a recording at the other end of the line will ask the victim for more information.Another technique, Paller says, is to have the compromised machine that sent the whaling e-mail automatically respond to replies from the victims with a message assuring them that the attachment is safe to open. "They\u2019ll say something like, \u2019Absolutely. You\u2019ll love it,\u2019" he says.Attacks may take the form of a fake messages from a business partner about a "problem with our last order," or a request for specific information on a product feature. "These guys have shifted from telling to you do something [in general] to telling you to do something that is so close to what you do for a living that you can\u2019t afford not to do it,\u201d Paller says. \u201cThey\u2019re weaving the attack into your job so tightly they don\u2019t allow you to say no.\u201dThis is all the more effective because non-IT executives are usually less security-conscious than other high-value targets such as network administrators. Also, the purpose of the whaling e-mail is usually not to collect personal information directly, but to plant malware, such as keyloggers that allow the attacker to gather data at leisure. Because the e-mail doesn\u2019t ask for personal information such as credit card numbers, the victims are likely to feel the e-mail is innocuous.Late last year SalesForce.com, the online CRM vendor, got hit with an attack that demonstrates how the multi-step version of whaling works. First, a SalesForce employee\u2019s account was compromised by a phishing attack. Then, the attackers used the breach to invade customer accounts at SalesForce and harvest lists of customer contacts. The customer contact lists didn\u2019t contain critical information such as Social Security numbers or passwords, but it did include personal details, such as names and titles, that were needed to tailor the e-mails. The third phase of the attack was spearphishing those stolen contact lists. The attackers sent out thousands of e-mails targeted at executives on the list.Because of the stealth nature of whaling attacks, however, researchers say that the publicized examples are atypical. The SalesForce attack was spotted because the stolen database contained information on a large number of companies--many more than Paller says are usually involved in a whaling attack."The best advice I can give people is even if you get attachment from someone you know, mail them back and ask what they\u2019re sending," Stewart says. "You\u2019ve really got to be suspicious of these types of messages that seem to come from an authority figure. In that sense we have an easier job in user education. It comes to security team having a meeting of the executive team [and saying,] Be suspicious of anything you get. Run it by us."Paller, however, warns that "education" in the form of seminars and lectures doesn\u2019t work well in the long run; in fact, he says, it hardly works at all. Instead, he suggests a process he calls "inoculation," which involves repeatedly sending out fake whaling-type messages. "When [the user bites], [he or she] gets a message saying, \u2019Oops, you\u2019ve just been had.\u2019 You do that over and over again until people learn.\u201dRick Cook is a freelance writer based in Phoenix.--The comment field below does not work. Please send your feedback to firstname.lastname@example.org.