02:46 PM
Connect Directly

Spear-Phishing Attack Uses Fake Subpoenas To Steal From CEOs

iDefense estimates that the attack went out to about 15,000 to 20,000 executives, resulting in about 1,800 confirmed malware victims.

The SANS Internet Storm Center on Monday warned that CEOs of some companies are being targeted with a phishing attack involving fake federal subpoenas sent via e-mail.

"We've gotten a few reports that some CEOs have received what purports to be a federal subpoena via e-mail ordering their testimony in a case," said John Bambenek, a security researcher at the University of Illinois at Urbana-Champaign and Internet Storm Center handler, in an online post. "It then asks them to click a link and download the case history and associated information. One problem: It's totally bogus."

Clicking on the link in the fake subpoena leads to malware, Bambenek explains. "So, first and foremost, don't click on such links," he said. "An interesting component of this scam was that it did properly identify the CEO and send it to his e-mail directly. It's very highly targeted that way."

Targeted phishing attacks of this sort are often referred to as spear-phishing attacks.

Panos Anastassiadis, president and CEO of Cyveillance, a computer security company, was among those who received the fake subpoena. Having some familiarity with such ruses, not to mention the fact that subpoenas aren't sent via e-mail, he wasn't fooled. A copy of the bogus e-mail has been posted on the company's Web site.

"Like many other spear phishing attacks, the phisher performed research before launching his or her attack," Cyveillance explains on its Web site. "Specifically, the individual was able to locate [and] use our CEO's e-mail address and the Cyveillance phone number in the e-mail. This information was used to enable and build additional credibility for the attack."

James Brooks, director of product management at Cyveillance, said that anyone clicking on the malware link in the message would have be hit with a Trojan downloader, which would have phoned home to fetch additional malware.

"Most of these attacks are exploiting well known vulnerabilities," said Don Leatham, director of solutions and strategy for Lumension Security. "The first step is to eliminate the vulnerabilities by staying patched. There is the challenge of the zero-day threat, but from what we've seen, the majority of these Trojans are spreading through vulnerabilities that can be closed."

Leatham said that about half of the anti-virus software out there didn't recognize the malware in this attack, a fact that underscores the need for other forms of defense like user education.

The malware in question is a browser helper object known as a form grabber. "It's 'helping' function is to take all the data you enter into forms and send it back to the attacker," explained Matt Richard, director of rapid response for iDefense.

Richard estimated that the attack went out to about 15,000 to 20,000 executives, based on an approximate infection rate of about 10%, which resulted in about 1,800 confirmed victims of the attack. He said he could not discuss which CEOs succumbed to the scam, but said that they ran the gamut from mom and pop companies to fairly large enterprises.

Richard said that this form of targeted attack has been particularly popular among three cybercrime groups, two of which are Romanian and one of which is Russian. These groups have also used fake messages from the Better Business Bureau, the IRS, and the Department of Justice.

Attacks of this sort, said Richard, often last no more than a week. They target executives to gain access to their bank accounts, which typically have a significant amount of money. "It's a very quick hit," he said, noting that he has seen similar attacks result in bank account losses that range from $100,000 to $1 million in aggregate.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Disappearing Act: Dark Reading Caption Contest Winners
Marilyn Cohodas, Community Editor, Dark Reading,  3/12/2018
Microsoft Report Details Different Forms of Cryptominers
Kelly Sheridan, Staff Editor, Dark Reading,  3/13/2018
Who Does What in Cybersecurity at the C-Level
Steve Zurier, Freelance Writer,  3/16/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.