Es un ataque
de ingeniería social, variante del spear phishing, que se caracteriza porque el
fraude está dirigido a miembros concretos de la organización, principalmente
ejecutivos de alto nivel, con el objeto de obtener sus claves, contraseñas y
todo tipo de información confidencial que permita a los atacantes el acceso y
control de los sistemas de información de la empresa.
La forma en
que se comete el ataque bajo esta figura, es muy similar a la de los ataques de
phishing. Se procede mediante el envío de correos electrónicos falsos que
contienen enlaces a sitios web fraudulentos, con la diferencia de que en el
caso de phishing el afectado no es necesariamente un directivo o alto cargo de
la organización.
http://www.inteco.es/glossary/Formacion/Glosario/
Whaling is a type of fraud
that targets high-profile end users such as C-level corporate executives,
politicians and celebrities.
As with any phishing
endeavor, the goal of whaling is to trick someone into disclosing personal or
corporate information through social engineering, email spoofing and content
spoofing efforts. The attacker may send his target an email that appears as if
it's from a trusted source or lure the target to a website that has been
created especially for the attack. Whaling emails and websites are highly
customized and personalized, often incorporating the target's name, job title
or other relevant information gleaned from a variety of sources.
The term whaling is a
play-on-words because an important person may also be referred to as a
"big fish." In gambling, for examples, whales describe high-stakes
rollers who are given special VIP treatment.
Due to their focused nature,
whaling attacks are often harder to detect than standard phishing attacks. In
the enterprise, security administrators can help prevent success whaling
expeditions by encouraging corporate management staff to undergo information
security awareness training.
http://searchsecurity.techtarget.com/