Save the Whales

“Whaling”.  The term brings up images of Captain Ahab and harpoons.  For some folks, “whaling” brings up thoughts of deep-pocketed Vegas high-rollers.  Unfortunately, what I’m referring to is a product of today’s online threats. It’s a new phishing scam called “whaling” and its emerged to target the big fish – top-level corporate executives at leading companies and organizations.  By doing some easy research up front, phishers can hit those at the top with surprising success because most corporate email conventions are easy to figure out (eg. First initial_last nameatcompanydotcom).  These targeted phishing scams focus on certain title levels, typically C-level executives, using carefully crafted messages to encourage the opening of a message or a click-through on an embedded link.

While there’s not one, single uber criminal like Keyser Söze out there, there are small bands of organized criminals trying to take advantage of sloppy user behavior to gain access to webmail accounts, brokerage accounts, online payment accounts, and the like.  First coined in 2007, whaling is a perfectly pragmatic way to tap into these valuable targets.

Thus far, the typical ruses in the email content can range from headhunter recruitment letters, political fundraising requests, complaints about a company’s products or services, or billing related inquiries.  These attacks usually direct the executive to a site that will drop keystroke loggers, backdoors, or malware site redirection capabilities on his or her system.  The targets of these attacks are the login/password credentials of these high net worth individuals, and given common user behavior (the vast majority of users still use a single login/password combo….), these credentials are like gold and can unlock multiple accounts.    

Now imagine this insidious scenario… the phisher obtains the credentials to this high-value target and simply observes activities and communications for a period of time, to unlock additional doors to their lives.  Given the semi-public nature of many of these individuals, finding additional personal information like date of birth, mailing address, and the like is only a few Google searches away.  Because this can go undetected for quite some time, a phisher could leverage this information for a variety of purposes including insider trading; milking certain personal accounts down; or transfer of funds to new, fraudulent accounts.

This past week, I attended the Identity 2008 conference in San Diego and it got me thinking about how the whales could protect themselves.  In that spirit, I’d like to share a few tips that can help save the whales, but also are generally good practices for anybody who’s online.  In David Letterman reverse list style, let me start with #5:


#5 – Check your financial accounts on at least a monthly basis for any unusual or unrecognized activity.  Consider a fraud alert service like Debix to alert you when new accounts are being opened in your name.

#4 – Consider in-browser antiphishing capabilities which scan sites in real time to determine if they’re legit or not.  I want to emphasize how important it is that phishing protection occurs in real time at the point of vulnerability so that a user doesn’t submit his or her credentials to a phony site.  Once submit is clicked, that sensitive information is gone.

#3 – Don’t use the same login/password combination for all the sites you maintain web accounts with.  It’s like rekeying all your doors in your house, your car, and your office with one master key.  This becomes a single point of failure that could prove catastrophic if your Evite password also unlocks they keys to your banking and finance accounts….  At the very least, consider three tiers of passwords that you use for three tiers of web accounts – completely disposable (think: online forums), ultra-secure (any financial accounts that can complete transactions in your name), and somewhere in-between (perhaps some e-retailers or sites like social networking sites).

#2 – Don’t click on links requesting personal or financial information and don’t respond to emails requesting the same. Providing your personal or financial information over electronic formats that are easily forwarded is obviously pretty dangerous.

#1 – Don’t open unsolicited messages from unrecognized senders.  Try contacting the senders via a different channel like phone, snail mail or even instant messenger.

Message Edited by Sondra_Magness on 05-20-2008 03:57 PM


Re: Save the Whales

In my opinion inter-corporate emails should always be signed by digital certificates issued by corporate and encrypted.

High level communications between the target and trusted clients should always be on the basis of digitally signed and encrypted email.

The digital certificates should be issued by a well recognized certification authority.
One can then check the certificate with a mouse click.

Too few corporations mandate the use of the certificates and the use of encryption.

This is not a cure for the problem but is one more tool that can be used.

Re: Save the Whales

Very good point Shaun!

Not too long ago I received a telephone call from one of my credit card companies claiming that they had seen some unusual charges, but, before we could discuss it further, I had to confirm that I was the legitimate card holder answering the phone and provide my credit card number. Normally, I might have been suspicious right away, but at the moment I received the call I was travelling from the office to the hospital where my wife was recovering from an illness and wasn't really thinking. After providing the first six digits my brain finally engaged.

I told the person that they should already have this information and that they could be anybody calling me and claiming to be from my credit card company. They provided me with a telephone number to their security department that I could call back if I wasn'twilling  to talk to a stranger. About six digits into dialing this number my brain kicked in again. I might just be calling back the same fraudulent people who called me initially!

I pulled out my credit card and called the number that was printed on it instead. After going through a number of different phone trees, I eventually managed to get ahold of somebody in their security department. Fortunately for me, they had placed the call to me and the charges were legitimate.

It seemed to me that they should have advised me in the initial phone call to contact the phone number printed on my credit card regarding some possibly fraudlent charges. When I asked them about this, the security person agreed that this would be a much more appropriate method but it incurred too much cost to their main call center.

To wrap up, everybody needs to question the source of any contact and any information that they receive and only use contacts and information that they are confident in.Message Edited by reese_anschultz on 05-22-2008 10:59 AM
Reese AnschultzSenior Software Quality Assurance Manager, Symantec Corporation

Re: Save the Whales

"Whaling" was previously (and is still sometimes) known as "spear phishing". The first time I heard it discussed was at the APWG General Members Meeting in September of 2004.

From the criminals point of view, normal phishing is a numbers game - send out several million emails and expect a very small percentage of the recipients to bite - the problem is that this tactic is obvious to those of us that are defending against phishing. On the other hand whaling (or spear phishing) allows the criminal to focus on a handful of individuals and send very targeted, hand crafted, emails to potential victims without making a big splash - making it much more difficult for anti-phishing software and law enforcement investigators to identify attacks at the email level.

Mark's advice above is great, but I would also add:
#6 - Don't call 800 numbers received in emails. Keep in mind that fraudulent voice response systems are almost as easy to setup as fake websites. If you receive an email from your bank asking you to call them, and you think it is real, then use the phone number on the back of your credit card or at the top of your most recent statement - NOT the one in the email.

Also, any time an email, website, or phone system asks for information that they should already have - be cautious. Banks do not misplace information.Message Edited by shaun_cooley on 05-20-2008 12:41 AM