Subscribe

Cyber crime targets the big fish

Phishing increasingly turns to highly targeted whaling attacks, as syndicates aim for greater financial gain.

Simeon Tassev
By Simeon Tassev, MD of Galix
Johannesburg, 14 Jan 2016

Phishing is a cyber crime tactic aimed at obtaining confidential information such as user names, passwords and credit card information by means of mass electronic communications that appear to be from a trustworthy source, such as a financial institution.

Spear phishing, a more targeted form of this, is aimed at specific individuals or companies using personal information to increase the probability of a successful attack. These tactics are far from new phenomena, having been successfully used by cyber criminals for more than a decade for financial gain.

However, recently there has been a trend among cyber crime syndicates to specifically target single, large organisations or high net worth individuals. Dubbed 'whaling', this form of spear phishing goes after the 'big fish', with highly targeted attacks aimed at producing significant financial gain from a single, more concerted effort. Organisations must be aware of the possibility of this type of attack and apply best practice security principles and solutions to avoid falling victim to such a threat.

Gone phishing

With more sophisticated methods of attack as well as a burgeoning cyber criminal underworld and black market, whaling has become an increasingly lucrative business. Ultimately, it is the result of the natural evolution of phishing, moving towards a more structured method of compromising specific targets for maximum financial gain. Targets may include prominent and wealthy personalities, senior executives in global enterprises, and commonly, financial institutions. While the payoffs are typically higher as a result of the high profile nature of targets, the same tactics used in regular spear phishing attacks apply.

One of the most common methods of obtaining information from targets is to make use of e-mails, seemingly from legitimate entities, seeking specific information. However, this approach has limited effect and is thus most often used in regular, mass-approach phishing scams. Social engineering plays a significant role in spear phishing, and thus in whaling, as personalised, targeted information is most likely to yield greater results.

While all information these days has value and can be sold, the targets of whaling attacks are generally chosen for their ability to deliver high profit results. Financial institutions and other entities within the payment card industry (PCI) are frequently the target of whaling attacks for a simple reason - they house vast amounts of confidential customer information, including credit card details. This information is instantly saleable on the dark net and is therefore a highly profitable commodity.

Human shields

While technology solutions are available to protect organisations and individuals from malware attacks, the success of phishing scams typically hinge on the ability of attackers to obtain personal details and information about their target.

Personalised, targeted information is most likely to yield greater results.

In today's connected world, this is often only too easy, as people post more details than they should on social media, and use unsecure channels such as e-mail to send confidential information. The only protection against such threats is education and awareness - the creation of the so-called human firewall - and the implementation of security best practices such as the PCI Data Security Standard throughout organisations.

Phishing, spear phishing and even whaling are nothing new; however, it has become far easier for people to become targets of such attacks. More and more devices are now permanently connected and opened up to the Internet, and society has become comfortable with sharing vast amounts of information online. Both of these factors can be used for exploitation, particularly where there are weaknesses in security defence. The growth of cloud computing and the increasing prevalence of the Internet of things will only exacerbate this issue.

Hackers have a well-defined business model, and will therefore go after targets that yield the highest profit for the least amount of effort. Protecting organisations and individuals is essential, and layers of security as well as enhanced awareness are critical to making the job of cyber criminals more difficult by becoming a less attractive target. Technology can assist, but ultimately the only defences against social engineering are awareness, education and the creation of the human firewall.

Share