Spear phishing attacks

A variant of the phishing attack typically executed against a restricted group of selected targets. Usually, it uses email-spoofing fraud to exploit a particular organization, seeking unauthorized access to sensitive data. Spear phishing, unlike a basic phishing attack, doesn’t address a wide audience and is conducted by attackers that are more interested in intellectual property, trade secrets, or military information rather than financial gain. Typically spear phishing attacks are conducted by state-sponsored hackers and by hacktivists that search for reserved information for various reasons [1].

Whaling attack

Another evolution of phishing attacks that utilizes sophisticated social engineering methods to acquire confidential information, personal data, access credentials to restricted services/resources from executives of private business and government agencies.  The word whaling is used, indicating that the target is a big fish to capture [2].

In a 2008 FBI subpoena, it was reported that around 20,000 corporate CEOs were attacked with this technique. They received emails that asked them to download a “special” browser add-on to view the entire subpoena document. The link proposed allowed the download of a keylogger that secretly captured passwords. As a result, the compromised companies were victims of further cyberattacks with serious consequences [2].

Water Holing

This attack is quite similar to whaling, however, there are two distinct differences:

  1. The target is often a group or specific organization, not an individual.
  2.  Rather than sending an email, the perpetrator is likely to infect a website which the target is known to frequent for example if the target is medical doctors, the website infected may be doctors.org, a site where doctors frequent for training, networking or other reasons.

Once the website has been compromised it is infected with malware so that visitors to the site eventually become infected during the course of their visit. Water holing schemes  are often quite expensive to plan, prepare and execute this explains why they are usually attacks which target organizations and groups.

References

  1. Mc Afee, “McAfee Labs,” August 2014. [Online]. Available: http://www.mcafee.com/ca/resources/reports/rp-quarterly-threat-q2-2014.pdf.
  2. J. Chhikara, R. Dahiya, N. Garg and M. Rani, “Phishing & Anti-phishing Techniques: Case Study,” International Journal of Advanced Research in Computer Science and Software