Save the Whales
“Whaling”. The term brings up images of Captain Ahab and harpoons. For some folks, “whaling” brings up thoughts of deep-pocketed Vegas high-rollers. Unfortunately, what I’m referring to is a product of today’s online threats. It’s a new phishing scam called “whaling” and its emerged to target the big fish – top-level corporate executives at leading companies and organizations. By doing some easy research up front, phishers can hit those at the top with surprising success because most corporate email conventions are easy to figure out (eg. First initial_last nameatcompanydotcom). These targeted phishing scams focus on certain title levels, typically C-level executives, using carefully crafted messages to encourage the opening of a message or a click-through on an embedded link.
While there’s not one, single uber criminal like Keyser Söze out there, there are small bands of organized criminals trying to take advantage of sloppy user behavior to gain access to webmail accounts, brokerage accounts, online payment accounts, and the like. First coined in 2007, whaling is a perfectly pragmatic way to tap into these valuable targets.
Thus far, the typical ruses in the email content can range from headhunter recruitment letters, political fundraising requests, complaints about a company’s products or services, or billing related inquiries. These attacks usually direct the executive to a site that will drop keystroke loggers, backdoors, or malware site redirection capabilities on his or her system. The targets of these attacks are the login/password credentials of these high net worth individuals, and given common user behavior (the vast majority of users still use a single login/password combo….), these credentials are like gold and can unlock multiple accounts.
Now imagine this insidious scenario… the phisher obtains the credentials to this high-value target and simply observes activities and communications for a period of time, to unlock additional doors to their lives. Given the semi-public nature of many of these individuals, finding additional personal information like date of birth, mailing address, and the like is only a few Google searches away. Because this can go undetected for quite some time, a phisher could leverage this information for a variety of purposes including insider trading; milking certain personal accounts down; or transfer of funds to new, fraudulent accounts.
This past week, I attended the Identity 2008 conference in San Diego and it got me thinking about how the whales could protect themselves. In that spirit, I’d like to share a few tips that can help save the whales, but also are generally good practices for anybody who’s online. In David Letterman reverse list style, let me start with #5:
#5 – Check your financial accounts on at least a monthly basis for any unusual or unrecognized activity. Consider a fraud alert service like Debix to alert you when new accounts are being opened in your name.
#4 – Consider in-browser antiphishing capabilities which scan sites in real time to determine if they’re legit or not. I want to emphasize how important it is that phishing protection occurs in real time at the point of vulnerability so that a user doesn’t submit his or her credentials to a phony site. Once submit is clicked, that sensitive information is gone.
#3 – Don’t use the same login/password combination for all the sites you maintain web accounts with. It’s like rekeying all your doors in your house, your car, and your office with one master key. This becomes a single point of failure that could prove catastrophic if your Evite password also unlocks they keys to your banking and finance accounts…. At the very least, consider three tiers of passwords that you use for three tiers of web accounts – completely disposable (think: online forums), ultra-secure (any financial accounts that can complete transactions in your name), and somewhere in-between (perhaps some e-retailers or sites like social networking sites).
#2 – Don’t click on links requesting personal or financial information and don’t respond to emails requesting the same. Providing your personal or financial information over electronic formats that are easily forwarded is obviously pretty dangerous.
#1 – Don’t open unsolicited messages from unrecognized senders. Try contacting the senders via a different channel like phone, snail mail or even instant messenger.
Message Edited by Sondra_Magness on 05-20-2008 03:57 PM