Are you a whale? Are you the kind of gambler casinos lavish free rooms, exquisite meals, and VIP perks on?
Probably not. But if hackers did the same thing, you'd probably be sitting in the penthouse right now. Worse yet, someone in your enterprise is a whale, and they don't even know it. Smart hackers are changing the way they aim malware and enterprises need to make users aware.
Until recently, most contemporary malware was designed so it could infect the greatest number of people, regardless of who they were. This is known as the shotgun approach to malware. The problem with that method is that IT security and end-user training is beginning to erode the effectiveness of this approach. Malware has to entice victims into performing an action so the malware can be installed on their computer. This can be in the form of an email attachment, instant message, or website link. The communications are very generic in nature, often contain grammar mistakes, and have an overall unpolished feel to them. And once people are trained to detect these telltale signs, most malware and generic phishing attempts are fairly easy to spot, rendering the hackers' campaign useless.
Because of this, cyber criminals are catching only small fish in an ever-shrinking smaller pool. This is forcing a change in tactics to the point where criminals are now beginning to put malware into very sophisticated and convincing packages to attract a whale or two.
These targeted malware campaigns -- also referred to as spear phishing -- are designed to go after a specific person or organization. Cyber criminals now spend a great deal of time researching their whales and mine information like place of work, job title, names of individuals they interact with, and the names of business partners. Using this acquired information, a believable tale is woven into traditional email, website, or instant message formats. This message contains enough personal information that it becomes difficult for the whale not to believe it. And before you know it, the whale hands over everything that the criminal is looking for. It's not so much that the malware itself is getting more sophisticated, but the spear phishing presentation used to trick the victim certainly is.
Of course, spear phishing isn't new, but the targets and tactics are evolving, and most users who might have known to not give away their banks account numbers at home may be handing over sensitive information in an enterprise setting due to lack of training and awareness. One of the biggest challenges that enterprise security administrators face is convincing employees that they are likely considered whales.
Administrative assistants, accountants, salesmen, IT managers, and pretty much everyone else in an enterprise hold a great deal of company knowledge that criminals can use to ultimately unlock a company's secrets. This information can then be used to either commit wire fraud or to steal intellectual property.
Social networking has made it infinitely easier to gather personal information that can be used against us in a spear phishing attack. Public profile information on Facebook and LinkedIn are commonly used to gain information about the targets. Then, blog and Twitter posts are used to understand what the target's thoughts, feelings, and interests are in a wide range of areas. Essentially, the more you put out there, the easier a target you become.
I'm not saying that you shouldn't allow your employees or enterprise to have a public presence on the Internet. But beyond simply explaining the threat to them, ask your staff to take a step back to see what information a cyber criminal can easily dig up. This may sound completely narcissistic to them, but I recommend you ask them to "Google" themselves from time to time in order to see what pops up in search results. It's important that when they do this, they make sure to log out of social networking accounts first. By doing so, they are able to see the same information that anyone else would see while doing a search. The idea is to familiarize one's self with what is public knowledge -- so you aren't caught off guard when it's used to gain your trust.
Even though you aren't likely to be considered a "whale" by Las Vegas casino standards, you and your staff need to understand that your position within a large organization probably makes you a pretty big fish in the eyes of a cyber criminal. Enterprise organizations control huge amounts of capital and intellectual property -- both of which are highly sought by organized crime syndicates that use targeted malware attacks. And in order to help combat against these attempts, your best bet is to try and see what a hacker can see on the Internet so it can't be used against you.