The names given to various Internet scams are amusing. They also are important. Common sense says that the more precisely a threat is defined, the more effective technical countermeasures will emerge. Nomenclature and taxonomies are particularly vital in combating e-mail-based scams because, ultimately, the understanding and cooperation of the public is more important than technical fixes. Simply put, the better folks understand the issues, the better the odds are of staying safe -- and it all starts with evocative names.
But the names proliferate: phishing, spear phishing, pharming and drive-by-phishing. In a relatively recent innovation, there now is whaling. All of these terms refer to efforts to get folks to surrender valuable information or to click on links that do bad things to their systems, such as plant key loggers and spyware. This Dark Reading piece details whaling. The name derives, no doubt, from the fact that the people targeted are high-ranking "C-level" executives. The difference between spear phishing and whaling appears to be a bit cloudy. Whaling, it seems, involves more extensive research of, and knowledge about, the target. The exploits also can be more elaborate, involving 800-type phone calls, usually using VoIP, that extend the scam.
The story refers to a whaling exploit uncovered by Proofpoint in which the targeted executives were addressed by name and properties they owned referred to. The crooks then use their old tricks, fooling, pressuring and otherwise nudging the victim to do what they want. The story describes products from Proofpoint and Iconix aimed at safeguarding the executives and their organizations.
This piece from Accounting Web in the UK mentions whaling but, like the Dark Reading piece, doesn't draw clear distinctions between it and phishing. It appears most likely that there are no precise delineations as yet. The piece describes MessageLab's detection of multiple whaling e-mails. The bursts can be intense: The company reported 514 sent in two hours in June and 1,100 over a 15-hour period in September. A sidebar has six anti-phishing tips that, perhaps, can be distributed to employees.
This Frequency X post lays out the differences, at least in this blogger's mind, between spear phishing and whaling. Spear phishing, he says, focuses on blanketing a discrete group -- often but not necessarily a business -- with spam, hoping that one or more people fall into the trap. It differs from generalized phishing in that the goal isn't necessarily to gain access to the victim's bank account or other vital data. Instead, the aim is access to the entire network. Whaling, conversely, targets only the heads of the organization or other important folks.
These definitions make sense. The key, however, is whether they generally are accepted and used by the bulk of security forces. More likely, the terms will be used interchangeably -- and therefore inaccurately. That's too bad, but unavoidable.
Security IT Hub adds that government and military entities often are the recipients of whaling attacks. An InformationWeek story in November appears to validate this contention with a description of a whaling exploit in October that was launched against the U.S. Equal Opportunity Commission.