Late in December, the term \u201cwhaling\u201d mildly spiked in cybersecurity-related media outlets. The term isn\u2019t exactly new, but it isn\u2019t encountered as often as \u201cphishing\u201d. In fact, as many of you may have\u00a0guessed already, \u201cwhaling\u201d is a specific kind of phishing. Just how specific?<\/p>\n
The reason for the aforementioned \u201cspike\u201d is simple: Security experts from Mimecast firm have\u00a0surveyed<\/a> several hundreds of IT professionals in December and discovered that a distinct wave of \u201cwhaling\u201d hit businesses \u2013 a kind of phishing attack specifically targeting C to top level executives. \u201cBig phish\u201d, as it is.<\/p>\n Yes, cetaceans are by no means \u201cfish\u201d, but it doesn\u2019t matter much here: the difference between phishing and cyberwhaling is almost the same as with real-world fishing and whaling: one big target instead of a potentially large number of smaller ones, a \u201charpoon\u201d instead of a fishnet, etc.<\/p>\n What is #whaling, and what\u2019s the difference from #phishing? #protecmybiz<\/p>Tweet<\/a><\/blockquote>\n Big Phish<\/strong><\/p>\n Targets of \u201ccyberwhaling\u201d are mostly executives, preferably top-level, such as CEOs, CFOs, and other high-level decision makers, people responsible for handling corporate data and finances.<\/p>\n Chances that they would fall for a common \u201cspam-borne\u201d phishing letter aren\u2019t big, and in most cases they are hit with \u201csomething special\u201d.<\/p>\n Harpooning<\/strong><\/p>\n Usually phishing letters are spammed out<\/a> \u2013 urbi et orbi \u2013 in the hopes that at least a few potential victims become actual ones. In a case of cyberwhaling, it is a narrowly-targeted, cleverly crafted spear-phishing letter made to\u00a0look believable and trustworthy to the target.<\/p>\n Conjuring such a letter takes effort, of course. The possibility of doubts and reservations at the victim\u2019s side should be brought to an absolute minimum. So both the sender\u2019s and receiver\u2019s regalia \u2013 title, position, etc. \u2013 as well as other, probably personal, details must be properly specified in the \u201cwhaling\u201d e-mail.<\/p>\n These details are mined from wherever possible, most likely from open and semi-open sources such as social network accounts \u2013 Facebook, LinkedIn, Twitter, etc.<\/p>\n In most cases, whaling involves more social engineering than tech tricks. If there is some company-wide (non-personal) concern involved \u2013 supboenas, letters from tax authorities, etc. \u2013 it is very likely that the decision maker would fall into the trap.<\/p>\n Whaling: more social engineering and intelligence than tech trickery #whaling<\/p>Tweet<\/a><\/blockquote>\n In their letter, attackers may request downloading some additional software in order to open the full text of the \u201csubpoena\u201d. In reality, that would be some keylogging malware, not some arcane plugin to Adobe Acrobat. And though it is very unlikely that the official documents are sent out in some exotic formats, people occasionally fall to the trick.<\/p>\n There was a largely publicized phishing \u2013 or rather whaling \u2013 campaign in 2008, when literally thousands of high-ranking executives across the U.S. received official subpoenas ostensibly from the United States District Court in San Diego. Each message included the executive\u2019s name, company and phone number, and commanded the recipient to appear before a grand jury in a civil case; instead of a\u00a0copy of subpoena, however, victims were served with keyloggers<\/a>.<\/p>\n Big phish, little difference<\/strong><\/p>\n