Carl Weinschenk spoke with Adam O'Donnell, director of emerging technologies at Cloudmark.
Weinschenk: What is whaling?
O'Donnell: I define whaling as being narrow attacks which are highly targeted against highly valuable targets. With any form of phishing, the more you know about the target, the better off from a results standpoint. If you are able to get a list of all of a bank's customers, you only go phishing after that brand. It's not that there is such a [high] volume of attacks, but the total cost or effort is very significant. There are [whaling exploits] targeting the U.S. government and military and intelligence services. I wouldn't be surprised if there has been industrial espionage and others forms of espionage. From a standpoint of remediation and prevention, it is a huge issue. From the volume perspective, it is difficult to know.
Weinschenk: Can you give an example of a whaling exploit?
O'Donnell: The stereotypical example that gathered the most attention is e-mail going to an executive of privately held firms purporting to be from the Better Business Bureau and to be about an investigation. The statement of the investigation has a .zip file at the end of the e-mail that contains a piece of malware.
Weinschenk: How big a problem is it?
O'Donnell: It's becoming a big problem that is difficult to remediate and difficult to prevent. If it's a larger type of attack, spam filters and other technologies will be able to take care of it. If it targets one or several people and is heavily researched and addresses victims by career or projects that he or she worked on, it is likely to look like a legitimate e-mail. There is a high need for user education to help prevent these kinds of attacks.
Weinschenk: Are the people mounting these attacks the same as traditional phishers?
O'Donnell: I believe it would be different. [Traditional] phishers work with a large volume of e-mail, large collections of compromised accounts, and the resale of them on the malware underground -- the phishing underground. Whaling is something much more specialized. People who are waging these attacks need to understand their quarry. And they may not just be going after financial information. It could be industrial espionage. Whereas phishers push attacks out to the wind, the purpose of whaling is to identify a small group of individuals. It takes a lot more effort because people expect a much higher profit margin. The entire chain behind it appears to be very different.