Whaling- A type of scam you most likely haven’t heard of: Internet ScamBusters #297
Today we explain two threats: whaling (which is new and currently only affects top business execs), and a scary hack which can affect everyone who visits these compromised large websites.
Whaling: After phishing comes “whaling,” a sneaky attempt by scammers to hijack the personal computers of top-ranking business execs. We explore this latest form of Internet crime that, for a while, even had the security software companies fooled.
We also discover that hackers are attacking corporate websites and embedding them with invisible program code that takes users to malicious sites. So, watch out!
Before we begin, we recommend you check out this week’s issue of Scamlines — What’s New in Scams? You’ll find two huge scams you definitely want to know about.
Whaling? These Scammers Target Big Phish
Whaling. Bet you thought it was just something that marine conservationists get hot under the collar about. Recently, it’s been the NBT (Next Big Thing) in Internet security.
First we had phishing, where scammers try to grab personal financial details from Internet surfers.
Then there was vishing, in which scammers try the same thing using cell phone text messaging.
And there’s pharming, which hijacks external servers and home network routers to control PCs.
Now, there’s whaling.
As the name suggests if you think about it, whaling is a variation of phishing. But the targets are a whole lot “bigger” — like CEOs and other boardroom execs.
Apart from the status of its targets, whaling differs from phishing in a couple of very important ways.
First, it is not spam — the same message sent to thousands or millions of potential victims. Whaling emails are carefully researched and crafted messages sent to specifically named senior business people.
The scammers have discovered not only the individual’s personal email address but also other information, like their correct title, direct line telephone numbers and names of other key people in the business. Experts think they bought the information from other criminals online.
This kind of individually-targeted mail is known as “spear phishing,” though maybe in the case of whaling we should call it “harpoon phishing”!
Second, the scammers are not just after their victims’ identities. They try to take control of their PCs to get hold of passwords and all sorts of confidential company information.
The tricks they use are clever too. In a fairly recent attack, victims at major financial institutions and other Fortune 500 companies got emails that looked like genuine subpoenas from the US Federal District Court in San Diego ordering them to appear in court, in a civil action.
The emails provided a link supposedly to download the full subpoena. What it actually did was download keystroke-capturing, data-mining software onto the execs’ PCs, while displaying a realistic looking legal document on screen.
Here is part of what the bogus email says:
— Begin bogus email —
Issued to: (Individual’s name and title inserted here)
SUBPOENA IN A CIVIL CASE Case number: 94-621-PGM United States District Court
YOU ARE HEREBY COMMANDED to appear and testify before the Grand Jury of the United States District Court at the place, date, and time specified below …
Please download the entire document on this matter (follow this link) and print it for your record.
This subpoena shall remain in effect until you are granted leave to depart by the court or by an officer on behalf of the court …
Failure to appear at the time and place indicated may result in a contempt of court citation …
— End bogus email —
The US District Court alerted the FBI and issued a warning on its website.
The bad news is that nearly half of all antivirus software failed to detect the Trojan malware the link downloaded and thousands of the business computers were compromised.
“The success rate was incredibly high,” says Stephan Chenette of Websense Security Labs, the company that first raised the alert.
There were some giveaways in other parts of the email, however. The scammers didn’t always use American English; it was more like British or even Asian variations of the language. And the phony Internet address they used had a .com, whereas US official and court addresses use .gov.
Patrick Evans of security software company Symantec says: “Companies and high net worth individuals therefore have to be more vigilant than ever, ensure they are taking all of the necessary measures to safeguard against this threat, and generally, stop and think before clicking on an attachment or volunteering information.”
In fact, by following the same rules that apply to avoiding conventional phishing, the executives could have stayed safe. In particular, never click on an email link; instead, contact the genuine organization to confirm the document is authentic.
Invisible hack attacks
Meanwhile, a report published by the UK security firm IronPort warns not only of a big increase in whaling but also of a wave of invisible hack attacks on company websites that could affect any of us who use them.
The big security software companies are updating their programs to detect when this happens. But according to IronPort, some of the blame rests with the firms whose sites are hacked.
Product manager Jason Steer says: “Some organizations forget to secure their web servers because the website is not seen as a revenue-generating system but a media avenue, public sector sites especially.”
From the users’ point of view, the best protection is to keep security software up to date and run frequent spyware and malware checks.
Also, check any corporate websites you visit for poor language usage. It’s amazing that criminals who are so smart fall down on such a basic issue as getting their words right!
That’s it for today — we hope you enjoy your week!