Attacks/Breaches
4/15/2008
02:46 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Spear-Phishing Attack Uses Fake Subpoenas To Steal From CEOs

iDefense estimates that the attack went out to about 15,000 to 20,000 executives, resulting in about 1,800 confirmed malware victims.

The SANS Internet Storm Center on Monday warned that CEOs of some companies are being targeted with a phishing attack involving fake federal subpoenas sent via e-mail.

"We've gotten a few reports that some CEOs have received what purports to be a federal subpoena via e-mail ordering their testimony in a case," said John Bambenek, a security researcher at the University of Illinois at Urbana-Champaign and Internet Storm Center handler, in an online post. "It then asks them to click a link and download the case history and associated information. One problem: It's totally bogus."

Clicking on the link in the fake subpoena leads to malware, Bambenek explains. "So, first and foremost, don't click on such links," he said. "An interesting component of this scam was that it did properly identify the CEO and send it to his e-mail directly. It's very highly targeted that way."

Targeted phishing attacks of this sort are often referred to as spear-phishing attacks.

Panos Anastassiadis, president and CEO of Cyveillance, a computer security company, was among those who received the fake subpoena. Having some familiarity with such ruses, not to mention the fact that subpoenas aren't sent via e-mail, he wasn't fooled. A copy of the bogus e-mail has been posted on the company's Web site.

"Like many other spear phishing attacks, the phisher performed research before launching his or her attack," Cyveillance explains on its Web site. "Specifically, the individual was able to locate [and] use our CEO's e-mail address and the Cyveillance phone number in the e-mail. This information was used to enable and build additional credibility for the attack."

James Brooks, director of product management at Cyveillance, said that anyone clicking on the malware link in the message would have be hit with a Trojan downloader, which would have phoned home to fetch additional malware.

"Most of these attacks are exploiting well known vulnerabilities," said Don Leatham, director of solutions and strategy for Lumension Security. "The first step is to eliminate the vulnerabilities by staying patched. There is the challenge of the zero-day threat, but from what we've seen, the majority of these Trojans are spreading through vulnerabilities that can be closed."

Leatham said that about half of the anti-virus software out there didn't recognize the malware in this attack, a fact that underscores the need for other forms of defense like user education.

The malware in question is a browser helper object known as a form grabber. "It's 'helping' function is to take all the data you enter into forms and send it back to the attacker," explained Matt Richard, director of rapid response for iDefense.

Richard estimated that the attack went out to about 15,000 to 20,000 executives, based on an approximate infection rate of about 10%, which resulted in about 1,800 confirmed victims of the attack. He said he could not discuss which CEOs succumbed to the scam, but said that they ran the gamut from mom and pop companies to fairly large enterprises.

Richard said that this form of targeted attack has been particularly popular among three cybercrime groups, two of which are Romanian and one of which is Russian. These groups have also used fake messages from the Better Business Bureau, the IRS, and the Department of Justice.

Attacks of this sort, said Richard, often last no more than a week. They target executives to gain access to their bank accounts, which typically have a significant amount of money. "It's a very quick hit," he said, noting that he has seen similar attacks result in bank account losses that range from $100,000 to $1 million in aggregate.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-1291
Published: 2015-09-03
The ContainerNode::parserRemoveChild function in core/dom/ContainerNode.cpp in Blink, as used in Google Chrome before 45.0.2454.85, does not check whether a node is expected, which allows remote attackers to bypass the Same Origin Policy or cause a denial of service (DOM tree corruption) via a web s...

CVE-2015-1292
Published: 2015-09-03
The NavigatorServiceWorker::serviceWorker function in modules/serviceworkers/NavigatorServiceWorker.cpp in Blink, as used in Google Chrome before 45.0.2454.85, allows remote attackers to bypass the Same Origin Policy by accessing a Service Worker.

CVE-2015-1293
Published: 2015-09-03
The DOM implementation in Blink, as used in Google Chrome before 45.0.2454.85, allows remote attackers to bypass the Same Origin Policy via unspecified vectors.

CVE-2015-1294
Published: 2015-09-03
Use-after-free vulnerability in the SkMatrix::invertNonIdentity function in core/SkMatrix.cpp in Skia, as used in Google Chrome before 45.0.2454.85, allows remote attackers to cause a denial of service or possibly have unspecified other impact by triggering the use of matrix elements that lead to an...

CVE-2015-1295
Published: 2015-09-03
Multiple use-after-free vulnerabilities in the PrintWebViewHelper class in components/printing/renderer/print_web_view_helper.cc in Google Chrome before 45.0.2454.85 allow user-assisted remote attackers to cause a denial of service or possibly have unspecified other impact by triggering nested IPC m...

Dark Reading Radio
Archived Dark Reading Radio
Another Black Hat is in the books and Dark Reading was there. Join the editors as they share their top stories, biggest lessons, and best conversations from the premier security conference.