Phishing From A Great Height

By Guy Bunker | April 17, 2008 | Leave a Comment

Guy Bunker
Most people think of phishing as something which is done across millions of people at a time – and only the daft fall for it. However, this is not always the case – how about going for CEOs? CEOs are busy people and when they get an email about a subpoena in a civil case then you end up fooling a few. This happened this week as reported in the NY Times and just points to how crafty the cyber criminals are getting. The email looked official, with official looking graphics and a link to a site with the full details. Of course if you followed the link – and you didn’t have up to date anti-malware you got infected with a nasty keylogger.

What could the CEO have done? The obvious comment is that they should have checked the content and the validity. BUT… who has the time to do that? In this case the fear factor from a social engineering perspective comes into play and the knee-jerk reaction is tough to control. However, that is what you need to do – if you receive an email which you were not expecting then sit back and think about it. We live in a world where people think they should respond to email instantly – sometimes a little additional thinking time would help. In this case there were names and addresses – it looked real, but there were no telephone numbers – and would the district court rely on email to issue a subpoena? No… if it was that important it would come via the mail, probably as a registered letter. So, there were a few pointers that should have raised alarms. The truth is that everyone needs to remain vigilant – and become a little more wary of unsolicited and unexpected email.

As for a catchy term for this new kind of phishing… Whaling… after all, this is all about going after the biggest fish in the sea. (I know, whales are mammals… but you can’t have it all!)