CEO Spam Scam: Phishing For Big Fish

A new targeted spam campaign uses fake federal subpoenas to trick CEOs into clicking on a malware link. One source indicates that 15-20,000 spams went out. And amazingly, about 10 percent of the recipients responded!This latest spear phishing con -- targeted mal-mails that include personalized information -- included one sent to the CEO of security company Cyveillance

Oops.

Cyveillance's CEO, Panos Anastassiadis, sprang into action, among other things posting a copy of the spear phish letter.

Unfortunately, not all of the CEOs were as sharp as Anastassiadis, nor, evidently, were their IT teams: the malware involved in the campaign exploits known vulnerabilities that could -- and, dammit, should -- have been patched.

And that's the heart of this particular lesson -- along with the "No, d'uh!" reminder that federal courts do not send subpoenas by e-mail; you'd think a CEO would know these things!

Or maybe not. (Obviously not.)

This one reminded me of a recent bMighty contribution from Cisco that points out the security flaws that management both creates and represents.

And clearly that's a flaw the spear phishers understand all too well.