Phishing is a common social engineering attack, but it does not have a very high success rate.
In ordinary phishing campaigns, attackers send out fake messages with the hope that at least some of the recipients will click on a malicious URL or email attachment. Phishing correspondence is, for the most part, never personalized and its content varies little from one recipient to the next.
That explains why phishers send out thousands of emails at a time. Only a fraction of the recipients usually falls for the bait.
Unfortunately for the attackers, such lack of personalization, not to mention spelling and grammar errors, often alerts recipients to the ruse. Indeed, in its 2016 Data Breach Investigations Report, Verizon found that only 30 percent of all phishing emails were ever opened. An even smaller percentage (12 percent) of recipients actually clicked on the malicious URL or attachment.
Phishing is all about a low-rate of return over a large breadth of victims, which makes it an ineffective tool for conducting targeted attacks. Those looking to trick a specific recipient commonly turn to spear-phishing instead.
Spear-Phishing: Establishing a False Sense of Security
Unlike its ordinary counterpart, spear-phishing emphasizes a high-rate of return over a small set of victims. Rather than blasting out thousands of messages, spear-phishers invest their energy in researching their targets and using that information to customize their attack emails as much as possible.
The logic is that by incorporating a target’s name, position, company, work phone number and other information into an email, attackers can trick the recipient into believing their attack message is real. If sufficient, that false sense of security will most likely lead the target to click on the malicious URL or attachment.
Spear-phishing is commonplace on LinkedIn and other social media sites, for attackers can use those platforms to build fake profiles, make connections, and map out the structure of an organization in order to plan for future attacks.
Spear-phishers are after information. If they can successfully phish someone with authority, such as a top executive, they can gain access to some valuable corporate data.
Kim Peretti, a director in the forensic services practice at the PricewaterhouseCoopers consulting firm, is very familiar with attackers’ use of social networking for nefarious purposes.
“As more private information becomes public, through social media sites and otherwise, targeting specific individuals within companies has become easier for hackers and thus a preferred method of attack,” she says, as quoted by InfoWorld. “This proliferation of information on individuals–where they work, with whom they interact socially and professionally, what conferences they attend, when and where they vacation–has enabled hackers to determine not only which individuals at companies may hold the keys to the kingdom, but also to which messages these [people] are most likely be duped into responding.”
Such is the reality behind “whaling” attacks.
Harpooning the Whale
When you come right down to it, whaling is exactly the same as spear-phishing. The only difference is the size of the targets. They are much bigger.
In a whaling attack, a bad actor sends out an email to a specific executive officer or senior manager. That email contains personal information relating to the recipient, and it may incorporate company logos, familiar (but not identical) email domains, and other design work to fool the recipient into thinking the message originated from a legitimate company.
As Scamwatch explains in a blog post, the emails come with a subject line advertising a “critical” business matter, and they direct the recipient to click on a malicious URL or attachment. If they fall for the ploy, the recipient will be led to a fake website where they will be prompted to enter in some login credentials. Alternatively, their computers will be infected with malware, allowing bad actors to gather important information for staging secondary attacks.
Most of the time, whalers are interested in pulling off a business email compromise (BEC). By stealing an executive’s business email credentials, they can abuse that authority to make fraudulent wire transfers to financial institutions located all over over the world.
Since October 2013, the FBI has received 17,642 reports from victims of this type of scam, amounting to more than US$2.3 billion in losses. That includes an incident last summer where attackers defrauded an unidentified American corporation out of USD$100 million.
Whaling attacks pose a danger to organizations everywhere. That is why businesses should conduct security awareness training not only with their employees but also with their executives. Everyone is prone to human weakness, and under the right circumstances, everyone can be tricked into doing something that might jeopardize their organization’s security.
By educating their staff equally, however, companies can empower their employees and executives to positively contribute towards a culture of information security. Only via that kind of input and participation can organizations hope to protect themselves.
Title image courtesy of ShutterStock