Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Wednesday, July 10, 2013

Hunting for ‘Whales’ Using Targeted Malware

Until recently, most contemporary malware was designed so it could infect the greatest number of people, regardless of who they were. This is known as the shotgun approach to malware. The problem with that method is that IT security and end-user training is beginning to erode the effectiveness of this approach. This is forcing a change in tactics to the point where criminals are now beginning to put malware into very sophisticated and convincing packages to attract a whale or two. Cyber criminals now spend a great deal of time researching their whales and mine information like place of work, job title, names of individuals they interact with, and the names of business partners. It’s not so much that the malware itself is getting more sophisticated, but the spear phishing presentation used to trick the victim certainly is.


Of course, spear phishing isn’t new, but the targets and tactics are evolving, and most users who might have known to not give away their banks account numbers at home may be handing over sensitive information in an enterprise setting due to lack of training and awareness.

Administrative assistants, accountants, salesmen, IT managers, and pretty much everyone else in an enterprise hold a great deal of company knowledge that criminals can use to ultimately unlock a company’s secrets.

But beyond simply explaining the threat to them, ask your staff to take a step back to see what information a cyber criminal can easily dig up. This may sound completely narcissistic to them, but I recommend you ask them to “Google” themselves from time to time in order to see what pops up in search results. The idea is to familiarize one’s self with what is public knowledge—so you aren’t caught off guard when it’s used to gain your trust.

Even though you aren’t likely to be considered a “whale” by Las Vegas casino standards, you and your staff need to understand that your position within a large organization probably makes you a pretty big fish in the eyes of a cyber criminal. And in order to help combat against these attempts, your best bet is to try and see what a hacker can see on the Internet so it can’t be used against you



Posted on 07/10