Attacks/Breaches
4/15/2008
02:46 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Spear-Phishing Attack Uses Fake Subpoenas To Steal From CEOs

iDefense estimates that the attack went out to about 15,000 to 20,000 executives, resulting in about 1,800 confirmed malware victims.

The SANS Internet Storm Center on Monday warned that CEOs of some companies are being targeted with a phishing attack involving fake federal subpoenas sent via e-mail.

"We've gotten a few reports that some CEOs have received what purports to be a federal subpoena via e-mail ordering their testimony in a case," said John Bambenek, a security researcher at the University of Illinois at Urbana-Champaign and Internet Storm Center handler, in an online post. "It then asks them to click a link and download the case history and associated information. One problem: It's totally bogus."

Clicking on the link in the fake subpoena leads to malware, Bambenek explains. "So, first and foremost, don't click on such links," he said. "An interesting component of this scam was that it did properly identify the CEO and send it to his e-mail directly. It's very highly targeted that way."

Targeted phishing attacks of this sort are often referred to as spear-phishing attacks.

Panos Anastassiadis, president and CEO of Cyveillance, a computer security company, was among those who received the fake subpoena. Having some familiarity with such ruses, not to mention the fact that subpoenas aren't sent via e-mail, he wasn't fooled. A copy of the bogus e-mail has been posted on the company's Web site.

"Like many other spear phishing attacks, the phisher performed research before launching his or her attack," Cyveillance explains on its Web site. "Specifically, the individual was able to locate [and] use our CEO's e-mail address and the Cyveillance phone number in the e-mail. This information was used to enable and build additional credibility for the attack."

James Brooks, director of product management at Cyveillance, said that anyone clicking on the malware link in the message would have be hit with a Trojan downloader, which would have phoned home to fetch additional malware.

"Most of these attacks are exploiting well known vulnerabilities," said Don Leatham, director of solutions and strategy for Lumension Security. "The first step is to eliminate the vulnerabilities by staying patched. There is the challenge of the zero-day threat, but from what we've seen, the majority of these Trojans are spreading through vulnerabilities that can be closed."

Leatham said that about half of the anti-virus software out there didn't recognize the malware in this attack, a fact that underscores the need for other forms of defense like user education.

The malware in question is a browser helper object known as a form grabber. "It's 'helping' function is to take all the data you enter into forms and send it back to the attacker," explained Matt Richard, director of rapid response for iDefense.

Richard estimated that the attack went out to about 15,000 to 20,000 executives, based on an approximate infection rate of about 10%, which resulted in about 1,800 confirmed victims of the attack. He said he could not discuss which CEOs succumbed to the scam, but said that they ran the gamut from mom and pop companies to fairly large enterprises.

Richard said that this form of targeted attack has been particularly popular among three cybercrime groups, two of which are Romanian and one of which is Russian. These groups have also used fake messages from the Better Business Bureau, the IRS, and the Department of Justice.

Attacks of this sort, said Richard, often last no more than a week. They target executives to gain access to their bank accounts, which typically have a significant amount of money. "It's a very quick hit," he said, noting that he has seen similar attacks result in bank account losses that range from $100,000 to $1 million in aggregate.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.