Whaling – CompTIA Security+ SY0-401: 3.3

These days, the bad guys know that the management of the company is the one with the money and the power. In this video, you’ll learn about techniques that the bad guys use for hunting the big whale.

<< Previous Video: HoaxesNext: The Effectiveness of Social Engineering >>


Why would the bad guys spend time trying to get information out of me when there are some much bigger fish in the sea? And that’s where we get the term whaling. It’s a lot like fishing, except now we’re going after some really, really big fish.

So if you have executives in your organization, the executives undoubtedly have access to private information. They have access to internal information in the organization. If they are a public company, they probably have access to information that the public is not going to see until a big release of news. So this may be some really good things that the back guys are trying to get access to.

Usually, you’re trying to get access to executives so you need some very, very specific information to gain the trust of these folks. They are up at a high level in the organization because they are very good business people. And they understand that people are going to be going after this very delicate or very sensitive information, confidential data, within the organization.

So the bad guys are going to send very focused emails. They’re going to pretend to be somebody that your executives trust. They’re going to have names and information that would cause the executives to feel at ease with the emails or the voicemails or the messages that they’re going to be receiving.

A good example of this is what happened in 2007. In October 2007, a lot of financial companies were getting a lot of very specific information being targeted right at them. And not just one financial organization, but the executives of many different financial organizations.

So once you had the FBI and other organizations start looking into this, they realized– and this was announced in November 2007– that salesforce.com, which is a customer relationship management front end on the internet, they store a lot of customer data. They were the victim of a phishing scam. And they had the internal people within Salesforce provide data, confidential data, to the bad guys. And that confidential data had the emails, phone numbers, and other personal information for executives, among other things.

So that guy said, forget all the other people. Let’s just go after the executives. . And they started targeting them with these very specific names, very specific emails. It was all up to date because it came right out of the salesforce.com database.

Because of this very targeted type of attack and the fact that it’s using some very well-known communications means it’s very, very hard to prevent this type of whaling attack. It goes right through your firewall, right to your IPS, right through your email filter because to the human eye and the technical things we have in place, it looks like an absolutely completely legitimate message. It becomes very, very difficult to stop it through traditional means.

So that means we have to train our executives. We have to make sure they understand what the bad guys are doing to gain access to this data, and make sure that they know what they should be looking out for. Executives, generally, are very mobile. They are in your building. They are out of your building. They are carrying iPads around and iPhones and other mobile devices so they might have some very unique security concerns that other people in your organization just don’t have.

So make sure that you are modifying and keeping up to date with the latest technologies because you’re going to need to apply this security to everything that the executive is doing wherever they might go. And of course, you might want to test this.

You might want to have your CIO phish the CEO and see if the CEO is going to bite. So do some internal testing, some internal auditing. Get the CIOs and the other executives accustomed to somebody coming to them that they don’t necessarily know very well and asking for very, very important and confidential information. The more work you do up front with your executives, the less opportunity the bad guys are going to be able to score on this phishing and this whaling expedition.