Whaling
13 minute read | Last updated 1-Mar-2011 | 
Cybercrime, Security
Whaling, spear phishing, and phishing are all variants on the same pattern of attack. At a high level, the target is sent correspondence—usually an email—and asked to take an action that seems legitimate but is in fact masking the transfer of information/money/etc.
Phishing is the simplest attack in this class, then spear phishing, and finally whaling. Very similar to their analogies; each has a narrower focus, is more complex, and has a different goal.
The attacks in this pattern are summarized in the table below;
| Phishing | Spear Phishing | Whaling | |
|---|---|---|---|
| Target(s) | Anyone | Group or organization | Specific person or team |
| Research required | Minimal | Moderate | Substantial |
| Believe-ability | Medium | High | Very High |
| Sophistication | Minimal | Moderate | Substantial |
| Goal | Identities / access to system or network | Money or scam | |
The technical details of these attacks are constantly changing but their goal remains the same, to unknowingly get you to transfer something you value to the attacker.
Phishing
Alice receives the following email:
“Dear Customer,
You have received this email because we have strong reason to believe that your Amazon account had been recently compromised. In order to prevent any fraudulent activity from occurring we are required to open an investigation into this matter.
Your account is not suspended, but if in 36 hours after you receive this message your account is not confirmed we reserve the right to terminate your Amazon subscription.
If you received this notice and you are not an authorized Amazon account holder, please be aware that it is in violation of Amazon policy to represent oneself as an Amazon user. Such action may also be in violation of local, national, and/or international law.
Amazon is committed to assist law enforcement with any inquires related to attempts to misappropriate personal information with the intent to commit fraud or theft.
Information will be provided at the request of law enforcement agencies to ensure that perpetrators are prosecuted to the full extent of the law.
To confirm your identity with us click the link bellow:
http://www.amazon.com/exec/obidos/sign-in.html
We apologize in advance for any inconvenience this may cause you and we would like to thank you for your cooperation as we review this matter.
- The above is an example from Consumer Fraud Reporting
Here are the things that lend credibility to the email;
- It arrives “from” [email protected]
- In HTML format, it has the company’s logo and visual style
- The link “goes” to amazon.com
- The wording and structure is formal and typical of corporate correspondence
Beyond these points, the subject conveys a sense of urgency—in email clients that support it, it’s flagged for follow-up within 48 hrs and marked as “urgent”–and tries pushes the recipient into action.
The wording to designed to be aggressive and install fear in the recipient from the first paragraph alone; ” account…recently compromised”, “fraudulent activity”, and “required to open an investigation”.
Right away the email grabs the users attention and their first thought it usually, “I have to act”.
The 2nd section continues to pile on the worrisome and troubling wording. Mentions of law enforcement, violations, and prosecution all lend weight to the seriousness of responding to this message.
By the time the recipient reads the conclusion, they are relieved to see 1 simple action to take. Click on this link and confirm your identity.
The link looks legitimate but if fact it actually goes to the attackers site. Because the email is an HTML message, the display text and actual URL do not have to match.
You see this all the time when you hover over a link and tooltip or status bar panel shows the URL for the link text (e.g., the citation for the email above, “example from Consumer Fraud Reporting” leads to “http://www.consumerfraudreporting.org/phishing_Amazon_2010.php”.
Clicking on the link will take you to a complete copy of the Amazon login page. To the untrained eye, you’re actually visiting Amazon.com. If you check the URL bar you may notice something amiss, you’re actually on Amaz0n.com—zero instead of a “o”—or some other clever misspelling (e.g., doubling letters is common).
When you enter your username and password, you’ll probably receive a thank you message and confirmation that you’ve completed the task.
In reality, you’ve just provided the attacker with your Amazon.com username and password and verified that it is valid.
What happens next?
Most likely, the attacker will start to order products from Amazon.com—or make a bank transfer if the message purported to be from a bank—using your credit card on file with Amazon and have the products delivered to an address that they can claim them from, something like a foreclosed house or middleman.
The will fence the goods in order to turn the illicitly purchased items into cash.
This is just one simple example but it illustrates the pattern. It’s a course method of attack but done in sufficient numbers, a phishing campaign should provide a handsome return for the attacker.
More great examples of actual phishing emails are available courtesy of Consumer Fraud Reporting .
Spear Phishing
Spear phishing follows the same pattern but now the email is much more specific. With spear phishing, the attacker will research the target organization or group in order to build a profile of the target.
Using this information, the attacker will add element to the initial message that lend more credibility and authenticity.
A spear phishing email is more likely to be directly addressed to the recipient (e.g., “Dear Alice” not “Dear Customer”) and will use details from the profile (e.g., using the name of a common contact or service) in order to seem legitimate. The more details and insider terms/acronyms used the better.
Each pieces continues to build credibility with the reader.
These messages are more likely to refer to a recent event or common system based on research that the attacker has done. If a company was recently acquired, rolled out a new system, launched a new product, or something similar, these types of events would be referenced in the message.
Each reference lends credibility to the message and reduces suspicion.
The goal of a spear phishing attack may be to scam the user or gain access to money (like a phishing attack) or—just as likely—may try to use malware to gain access to the users system and network.
A phishing attack typically focuses on money or compromising the users machine for generic purposes (e.g., joining a botnet) and not in order to gain specific access.
Whaling
A whaling attack provides a starker contrast to phishing. It can be difficult to tell where the line between spear phishing and regular phishing is. Not so with a whaling attack. These attacks target high level or key personnel in a company.
These attacks are well researched and the initial communication is very believable. It’s rare to see a whaling attack that is aiming to get money or scam the target, these attacks are almost exclusively carried out to gain access and information to a company.
The methodology is the same as the previous two attack types but the research conducted pre-attack makes scenario presented in the initial message much more plausible.
Making this situation worse, more executives have assistants who regularly process their correspondence which means the decision maker—in this case, the assistant—may not have all of the required information to detect a fraudulent message.
The key to the success or failure of a whaling attack is research. Let’s take a closer look at the approach an attacker takes.
Identification
The very first step is for the attacker to determine what company they wish to attack. If the company they have in mind is publicly traded, the SEC (in the US) and government usually has a solid base of information readily available.
Public US companies are required to submit earnings, annual reports, and other financial information to the US government. Most of this information is readily available online, a quick search on the SEC’s site will provide a number of documents that create a solid foundation on which to build a company profile. They identify the current financial status and key executives.
If the target is a government department, or non-profit, similar resources exist in most countries. Because there is a requirement for transparency for these organizations, they are usually legally required to publish some information about their current status and structure. All of this information can be used in the target profile.
While providing a solid foundation, this information is not usually enough. A professional networking site such as LinkedIn can really help fill in the target profile. When a professional signs up for LinkedIn they typically submit a résumé which becomes part of their profile.
This can include current position, previous positions, education, memberships, interests, and professional contacts. All of this comes together to build an accurate picture of the target.
Even if the profile is marked as private, it can still contain important information that can be leverage during the attack.
A key component of the profile is the target’s connections. LinkedIn is a gold mine of information that can help an attacker map out who the target knows and more importantly who they may want to know.
As the profile builds, an attacker will branch out to Facebook, Twitter, and any other social media profiles that they can find. The goal of this phase is to build as complete a profile of the company and it’s executives as possible.
Remember, the more credible the message, the more likely the victim is to do what the attacker wants.
Building The Hook
With a profile of the company and the key executives built, it’s time for the attacker to craft the initial message. This message has to be credible enough that the target—or target’s assistant—will click through to the site or download the document/attachment.
The approach could be a solicitation for a business meetings or a partnership opportunity from another company (playing to a profit motive), an invitation to speak or participate in a panel discussion (playing to the targets ego), or another similar angle.
The research conducted in the previous phase will usually provide an indicator as to what approach will be the most effective.
Execution
Once the hook has been set, the attacker will move onto the technical aspects of the attacker. Beyond the various requirements of making the email look legitimate (as covered in the phishing section), the attacker must ensure that their malware has a high chance of success.
Again, the research conducted during the investigation phase is invaluable. Mentions of various software platforms or metadata indicating specific technologies in use will help the attacker craft their malware.
Job postings for the company and technical support forums are a key resource for the attacker’s research.
All of information in the technical profile of the company will be cross-referenced with the exploits the attacker has access to in order to find the malware with the highest chance of success.
This will then be delivered either directly via an attachment to the initial message or—much more likely—as a drive-by download from a website which is linked to in the message.
If the download is executed successfully, the malware will most likely attempt to contact the attacker (either directly or by dead drop) in order to report success and await further instructions.
Information Gathering
With the malware in place, the attack continues as the software exfiltrates—a fancy term for sending data out of the corporation and to the attacker—data to the attacker and receives new instructions and updates.
Sophistication levels of malware vary greatly. At it’s simplest, malware can very crude…the virtual equivalent of a rock through the window for a smash and grab. At it’s most complex, malware is a high level jewel heist that movies are based on.
The more high end the target, the more likely that you’re dealing with a jewel heist. In these cases, the malware is combing the corporate network looking for any data that may interest the attacker.
These malicious applications are designed to avoid detection at all costs, the attacker’s goal here is to maintain access as long as possible in order to gather as much information as possible.
Defence
Now that we understand the threat a little better, how do we defend against it? Because this is a pattern of attack, there aren’t any hard and fast technology blocks that we can put in place that will catch all attacks of this type.
Following good, general IT security practices (e.g., defence in depth) will provide some protection but the three defensive keys are;
1 Sandbox the user / limit rights on workstation 2 User education 3 Awareness of information shared online
Sandbox the User
While most corporate images restrict the rights that a user has on the desktop, it’s important to highlight the reasons behind this precaution (within the context of this attack pattern).
If the user is unable to install addition applications and has restricted rights on the workstation, this greatly reduces the options an attacker has for malware delivery.
This means that the malware must exploit a hole in an existing application on the users desktop instead of deploying a new malicious app.
Now, there are plenty of avenues to do this—Internet Explorer and Adobe Reader spring to mind—but holes in these applications are regularly identified and patched relatively quickly. A solid patch management process will help reduce this aspect of the risk by reducing your attack surface (areas where you’re vulnerable).
User Education
Information security with an organization is a shared responsibility. Yes, a team of trained analysts and experts plays a big part in a success security program but without the everyone else onboard, they’re fighting an uphill battle.
User education—not just training or awareness—is a key. High end attacks like whaling and spear phishing require the user to make an educated decision. Security teams cannot simply hope that users will make the right call. Teams should be very active within their user community helping to educate the community about the risks they are facing.
I can’t stress this enough…there is no silver bullet technology that will solve this problem. A strong education program will provide the biggest return on your investment against this class of threats and almost every other threat out there.
Awareness of Information Shared Online
Social media, very low barriers to publishing, and open approaches to government data mean that there is more information about us readily available than ever before.
This flow of information is enabling a lot of positive new initiatives and processes but it does come at a cost. These ease of executing these types of attacks are part of that cost.
I don’t advocate that we reduce the amount we share, just be aware of what you’re sharing and where. The amount of information online about you can make it very easy to build an accurate profile. This makes these types of confidence-based attacks possible.
When you receive a message from an outside source—and your email system should ensure that inside sources look different or are easily verified—asking you to take action, pause and think it through. Use your best judgement and when in doubt, don’t click!
Conclusion
Whaling, spear phishing, and phishing all attempt to manipulate the user into taking an action they wouldn’t normally agree to.
The attacker uses various tricks to gain the target’s confidence and compel them to action. This isn’t anything new, con artists have been pulling off similar scams for centuries.
What is new is the speed at which the attacks can be orchestrated, the severity of the consequences, and the low level of risk for the attacker. The best defence is to follow security best practices and to be aware of the possibility of being attacked.
Don’t live in fear of an attack but if an email is suspicious, be sure to report it to your security team or delete it and mark it as SPAM.
Did you enjoy this article? You should follow me on Twitter.