InfoWorld - Last year, a senior executive in charge of customer satisfaction at his company opened an email with the subject "customer complaint" that appeared to be sent from the Better Business Bureau. He followed a link to see details of the complaint. "If he had stopped to examine the URL carefully, he would have seen that it was a trap" -- known as a whaling attack and based on spear-phishing techniques -- intended to gather information about the company, says Jonathan Gossels, president of SystemExperts, a security consulting firm. "But during a busy work day, that hardly happens."
In another recent case, an attacker researched the background of a systems administrator, then sent him an email about a reduced premium health care plan for families of four or more. This appealed to the administrator, who has five children, and enticed him to open the attached form. The form had embedded malware that compromised the target's computer and gave the attacker a foothold into his corporate network. It also allowed the attacker to impersonate the administrator and garner sensitive information about the company's operations, says Rohyt Belani, CEO of Intrepidus Group, a security consulting and training firm.
[ Master your security with InfoWorld's interactive Security iGuide and our Deep Dive PDF guides on browser security, Windows 7 security, and malware defense. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
These whaling attacks are a form of personalized phishing, or spear phishing, aimed at senior executives or others in an organization who have access to lots of valuable or competitive information. While phishers generally go after consumers for bank account data, passwords, credit card numbers, and the like for financial gain, whalers most often target people who have inside information or can provide ongoing access to systems. Thus, the cost of being harpooned can be huge.
Whaling attacks are harder to detect than phishing expeditions. There's no obvious signature to detect as in phishing, such as seeing hundreds of copies of a phishing email enter your server. Whaling attacks are also hard to defend against because they often play on executives' feelings and sense of self-importance.
And security experts say these types of attacks are on the rise.
"As more private information becomes public, through social media sites and otherwise, targeting specific individuals within companies has become easier for hackers and thus a preferred method of attack," says Kim Peretti, a director in the forensic services practice at the PricewaterhouseCoopers consulting firm.
"This proliferation of information on individuals -- where they work, with whom they interact socially and professionally, what conferences they attend, when and where they vacation -- has enabled hackers to determine not only which individuals at companies may hold the keys to the kingdom, but also to which messages these [people] are most likely be duped into responding," Peretti says.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts