Spear Phishing and Whaling : 2007 : Frequency-X Blog : Blog : Home | ||
|
Spear
Phishing and Whaling My recent blogs about phishing appear to have driven several discussions about the fundamentals of the scams. For all its simplicity, over the last decade the term “phishing” has evolved from a particular attack vector into a stratified class of online fraud and deception. This has resulted in a number of colorful names for the various sub-classes and vectors within Phishing. Last week I had several requests to explain two targeted phishing categories – “Spear Phishing” and “Whaling”. So, while I had a few minutes between meetings I drafted the following descriptions of them and figured I’d share them here on the blog. Spear Phishing Spear phishing describes a category of phishing attacks whose target is a particular company, organization, group or government agency. Contrasted with phishing attacks that make use of large address lists shared with spammers, spear phishers focus on a much smaller subset – often filtering public spam lists with their targets domain, scraping their targets public services for addresses (e.g. message boards, marketing collateral, etc.), or enumeration through more active means (e.g. dumpster diving, spam pinging, etc.). The most prized addresses being distribution lists such as all@targetcompany.com. Once armed with a list of addresses specific
to their quarry, the phishers send email that appear as though
it may have come from the employer or someone who would normally
send an email message to everyone within the organizational
group (e.g. head of marketing and sales, the IT support team,
the owner of the message board, etc.). In reality, the
message sender information will have been faked (i.e. spoofed).
Unlike normal phishing scams whose objective is to steal an individuals online banking credentials, the spear phisher is most often seeking to gain access to the entire network of an organization. That said, it is not unheard of spear phishers targeting the users of a specific piece of software (e.g. members of a specific “clan” within World of Warcraft) and stealing their login credentials. Whaling The adoption of the term ‘Whaling’ within phishing is fairly new and may have been derived from the use of ‘Whales’ within gambling to refer to big-time gamblers and high rollers, but most likely come from the colloquialism for “big fish”. Regardless, Whaling describes the most focused type of phishing currently encountered by businesses or government – targeted attacks against groups of high-level executives within a single organization, or executive positions common to multiple organizations (e.g. the CTO or CFO). In a whaling attack, the phisher focuses upon a very small group of senior personnel within an organization and tries to steal their credentials – preferably through the installation of malware that provides back-door functionality and keylogging. By focusing upon this small group, the phisher can invest more time in the attack and finely tune his message to achieve the highest likelihood of success. Note that these messages need not be limited to email. Some scams have relied upon regular postage systems to deliver infected media – for example, a CD supposedly containing evaluation software from a known supplier to the CIO, but containing a hidden malware installer. Conclusions At a high level - using visual metaphors - I suppose you could say that a standard phishing attack is like carpet bombing a few blocks from a B52, while ‘spear phishing’ is more akin to taking out the building by parking a car bomb in the garage underneath, and ‘whaling’ is like sneaking a briefcase bomb in to the company’s board-room. The more focused the attack, the more precise the information needs to be in order to carry it out. So, what tips can I offer for protection against spear phishing and whaling?
But you already knew all this right – you’re a security professional, why else would you be reading the X-Force blog? However, do you know who your colleagues would report suspicious emails to? Would your General Manager or CEO recognize a whaling email? |
|