"Some people can read War and Peace and come away thinking it's a simple adventure story. Others can read the ingredients on a chewing gum wrapper and unlock the secrets of the universe."- Lex Luthor “Superman” (1978).
So, what does chewing gum have to do with the secrets of the universe? If you asked yourself that question, you’re in good company because that was Eve Teschmacher's response to Luthor in the movie. That's the question we’ll be discussing in this article with the goal that you too will be able to look at that gum wrapper and uncover the secrets hidden inside.
Also, just like the Superman movies, this article will evolve into a series in which we explore various social engineering methodologies and how they have developed over time, thus furthering your understanding of the hacking universe.
In this installment that I'll call "one phish, two phish, red phish, holy crap is that a white whale?" we will examine phishing and how this technique has evolved into whaling.
Phishing is the fraudulent practice of sending emails purporting to be from legitimate companies to induce individuals to disclose private data, such as passwords and other sensitive information. The problem with this technique for the attacker is that the return on investment (ROI) can be very low.
Let me elaborate with a little story from my past. After my first company's success and sale, I wanted to get out of the tech industry. I had made my money and wanted to get into a business that was always a passion of mine - cigars. When I opened my cigar store, I was a little lost when it came to advertising. I did my research and tried a few things from TV ads to premium listings in the YellowPages (that's the phone book, for those who aren't old enough to remember). After some time, I found that none of these options brought me the return on investment that I wanted.
Then one day a salesperson from a coupon pack company came into the store and presented me with the opportunity to place an advertisement in their monthly mailer. The price was right, and I hadn't tried it, so I gave it a shot. Within a short period, I got the results I wanted: a small investment and a substantial return. It was awesome. After a few months though, the rate of new customers started to dwindle. I had hit a wall, because I was a retail shop and customers will only travel so far for a product. The rate of return on that mailing list eventually became not worth the effort/money.
That's fundamentally the issue of the phishing email lists that malicious actors use. Many of these actors share their records, and users/email providers have gotten wise to this and have become much better at blocking the scattershot techniques they use. Now, to be clear, these emails still get by many blocking services and users continue to click on them. That said, the number of people clicking has continued to decline with all these security layers in place, alongside more traditional corporate employee training.
So, what's a malicious actor to do? They pivot and change their technique from hoping for shrapnel to strike lots of lower value targets, and instead going the sniper route - a much more targeted campaign aimed at a few high value targets.
Whaling is the next step up in the evolution of phishing. Instead of doing a “spray and pray,” you target specific members of an organization with carefully researched hooks in the hopes of getting the recipient to perform the desired action.
Most phishing emails are pretty generic and follow the same formula: "We noticed unusual account activity... click here to secure your account" is a very common lure and most phishing emails follow this general template. When it comes to whaling, however, the stakes are much higher so the email must be much more specific. That requires more work on the part of the cyberattacker, but the reward is potentially so much higher.
Let's look at how these campaigns work, step by step, from an attacker’s perspective:
To combat whaling campaigns, you follow the same training practices as phishing drills but ensure they are more specific to the user’s day-to-day functions. For example, instead of sending users a generic message about their account activity, an attacker may:
In conducting these drills, you need to think like an attacker so that you can provide employee training around whaling and the dangers it presents. This may be time consuming, but cleaning up after a company breach is far more so.