Es un ataque
de ingeniería social, variante del spear phishing, que se caracteriza porque el
fraude está dirigido a miembros concretos de la organización, principalmente
ejecutivos de alto nivel, con el objeto de obtener sus claves, contraseñas y
todo tipo de información confidencial que permita a los atacantes el acceso y
control de los sistemas de información de la empresa.
La forma en
que se comete el ataque bajo esta figura, es muy similar a la de los ataques de
phishing. Se procede mediante el envío de correos electrónicos falsos que
contienen enlaces a sitios web fraudulentos, con la diferencia de que en el
caso de phishing el afectado no es necesariamente un directivo o alto cargo de
la organización.
http://www.inteco.es/glossary/Formacion/Glosario/
Whaling is a type
of fraud that targets high-profile end users such as C-level corporate
executives, politicians and celebrities.
As with any
phishing endeavor, the goal of whaling is to trick someone into disclosing
personal or corporate information through social engineering, email spoofing
and content spoofing efforts. The attacker may send his target an email that
appears as if it's from a trusted source or lure the target to a website that
has been created especially for the attack. Whaling emails and websites are
highly customized and personalized, often incorporating the target's name, job
title or other relevant information gleaned from a variety of sources.
The term whaling
is a play-on-words because an important person may also be referred to as a
"big fish." In gambling, for examples, whales describe high-stakes
rollers who are given special VIP treatment.
Due to their
focused nature, whaling attacks are often harder to detect than standard
phishing attacks. In the enterprise, security administrators can help prevent
success whaling expeditions by encouraging corporate management staff to
undergo information security awareness training.
http://searchsecurity.techtarget.com/
Temas relacionados