For those who know what spearphishing is (and I hope you do), here is a new form/term: whaling. Where spearphishing is targeting a particular company, organization, group or government agency, whaling are targeted attacks against groups of high-level executives within a single organization, or executive positions common to multiple organizations (e.g. the CTO or CFO). Explanation from the ISS blog.
In a whaling attack, the phisher focuses upon a very small group of senior personnel within an organization and tries to steal their credentials – preferably through the installation of malware that provides back-door functionality and keylogging.
By focusing upon this small group, the phisher can invest more time in the attack and finely tune his message to achieve the highest likelihood of success. Note that these messages need not be limited to email. Some scams have relied upon regular postage systems to deliver infected media – for example, a CD supposedly containing evaluation software from a known supplier to the CIO, but containing a hidden malware installer.
The usual common sense and user awareness applies here. But since you are reading this blog, you are a security professional who knows how to recognize phishing. But would your General Manager or CEO recognize a phishing/whaling email? Do the test! ;-)Bonus: Senior execs targeted in 'precision' malware attacks (TheRegister)
Security4all Blog
Twitter
Slideshare
Facebook
Digg
Flickr
0 comments:
Post a Comment