Cyber-criminals who traditionally trawl the Internet for scamming victims in the process known as "phishing" are now looking for bigger fish – and are going "whaling".
While phishing attempts indiscriminately target large numbers of Internet users and are aimed at the mass theft of identities – often constituted by credit card numbers and other forms of personal information – whaling specifically targets high income individuals and companies.
"A handful of attacks that took place over the past month in the US market, aimed at smaller, more focused groups of high net worth individuals and senior business executives, have made the security world worried about a new threat that’s emerging from the collection of nasties that fall under the banner of phishing,” says Patrick Evans, regional director for Africa at Symantec.
"And, since the targets of these new attacks and the companies they work for stand to lose a great deal more per identity that’s compromised, this new threat is arguably far more serious than the mass phishing attacks the market has had to contend with up until now,” he adds.
Evans says whaling has caused a serious stir in the market. The extra time criminals have on their hands by virtue of there being a smaller target group, allows them to make the "bait" look extremely legitimate, to the point where they often include accurate company credentials and logos and are written in the style of communications the target would normally expect.
"These factors have made it extremely difficult for the targets to tell the difference between a legitimate e-mail and a whaling attempt, something that has resulted in the success rate of whaling attempts outweighing the success rate of conventional mass market ‘phishing’ attempts,” he adds.
According to the latest Symantec Internet Security Threat Report (ISTR XIII), stolen identities sell online for as little as $1.– each, and are sold by the thousands. “Identities stolen through whaling will be worth significantly more,” comments Evans.
He says that, besides the nature of the targets and the far more professionally authored bait, whaling attacks wreak the same kind of havoc that phishing attacks do.
"Generally, they entice the target to click on a link or an attachment and thereafter launch a piece of code that either logs the victim’s keystrokes or mines their computer for valuable information. In some cases, the user is directed to a dummy website where the user enters their username and password,” he says. "And, since the computer belongs to a high-value target, the information is more valuable.”