'Whaling' Internet fraud threatens corporate data, executives' safety

NEW YORK, Aug. 31 (UPI) -- A rash of "whaling" attacks on corporate data threatens sensitive business information and executives' financial security with no apparent foolproof way available to stem identity theft and online scams, industry sources said.

"Whaling" -- suggesting a hunt for "a big one" -- has progressed from scams called "phishing" where individuals are hoodwinked into divulging sensitive private information about their finances or personal data used in financial transactions.

"Whaling" first came to light in 2007, but because of the sensitivity of the fraud perpetrated on corporate individuals it remained cloaked in secrecy or its frequency was suppressed, the sources said.

"With targeted phishing attacks on the rise, it's no surprise that cybercriminals are doing their research and aiming at those with the most to lose -- executives," Network World, provider of information, intelligence and insight for network and information technology executives, reported.

As the threat grew in size and individuals chosen as targets became more top brass than ordinary IT workers, "phishing" became "whaling" with far-reaching damaging consequences for individuals and the corporate entities they worked with, analysts said.

However, as "whaling" incidents multiply, corporate security experts are finding it increasingly hard to deal with the problem because of the walls of silence they encounter when seeking to discuss the threat with senior executives.

VeriSign iDefense Labs, a company specializing in cyber threat analysis based in Sterling, Va., reported targeted social engineering attacks against corporations reached new highs in 2008.

The e-mail-based "spear phishing" and "whaling" targeted senior executives and other high-profile individuals.

"The attacks do not use vulnerabilities in the operating system or applications to install malicious code. Often, anti-virus products do not detect the malicious code involved on the day of the attack," VeriSign iDefense Labs said.

The company cited "staggering" victim counts of 15,000 corporate users in 15 months. "Victims include Fortune 500 companies, government agencies, financial institutions and legal firms. In these attacks, the goal is to gain access to corporate banking information, customer databases and other information to facilitate cyber crime," said the company.

Two groups of attackers are believed to have carried out 95 percent of the attacks monitored by iDefense Labs analysts. Each group installs a unique malicious code and operates independently.

One group installs a Browser Helper Object capable of logging SSL encrypted sessions and performing man-in-the-middle attacks on two-factor authentication systems. Another group installs a full version of the Apache Web server on victims' computers.

The attack involves installing a key logger that is capable of performing attacks on authentication systems.

"Whaling is a new form of phishing which threatens to cripple financial institutions from the top down by targeting executives and other high-level employees," Linda Eagle, president of Edcomm Banker Academy in New York, said in the Chicago Tribune.

Industry analysts have identified different templates used in perpetrating fraud, including Internal Revenue Service, Federal Trade Commission, U.S. District Courts, Department of Justice and pro forma invoices.

The Federal Trade Commission advises potential victims, "If you believe you've been scammed, file your complaint at ftc.gov, and then visit the FTC's Identity Theft Web site at www.consumer.gov/idtheft."

FTC warns, "Victims of phishing can become victims of identity theft. While you can't entirely control whether you will become a victim of identity theft, you can take some steps to minimize your risk," it adds.