Wednesday, April 16, 2008

Corporate suits targeted in spear phishing attack!

The mainstream media is reporting that the Phishermen attempted to spear a large number of corporate executive types this week.

This form of phishing is referred to as spear phishing, or whaling. The intent of phishing is to trick an unwary human being into giving up sensitive personal or financial information, which is later used to for illicit purposes. Spear phishing or whaling is simply a more focused approach designed to target more specific targets than everyday run of the mill phishing attacks, which are sent out by the millions via spam spewing botnets.

The New York Times is reporting:

Thousands of high-ranking executives across the country have been receiving e-mail messages this week that appear to be official subpoenas from the United States District Court in San Diego. Each message includes the executive’s name, company and phone number, and commands the recipient to appear before a grand jury in a civil case.

If any of them clicked on the link directing them to a view of the full subpoena, they probably downloaded malicious software with keylogging capabilities. Once this is dropped on a system, keystrokes are recorded and transmitted back to the criminals behind the attack.

The normal intent when this done is to commit financial crime, but given the targets in this attack, corporate espionage (information theft) could be the intention, also.

The malware bundle allegedly places the victim's computer under the control of the phishermen. When this occurs, the infected computer is often referred to as a zombie.

The latest attack has prompted warnings to be placed on the websites of two California Federal Courts, as well as, the administrative office of the United States Courts.

The New York Times article speculated that this attack was of Chinese origin, while Brian Kreb's article in the Washington Post speculated the attack could be of Romanian origin. Both of these speculations came from noted industry security experts. Unfortunately in the world of cybercrime, the activity often so anonymous, all the rest of us can do is speculate as to who might actually be behind it.

Please note that speculating that the activity might have come from either China or Romania is probably a good deduction. Both countries are known to host a lot of criminal activity of a cyber nature.

It is also being reported that not all the security products out there will detect this attack.

I guess that the only solace from this fact is that if you can teach the user to recognize the social engineering aspects of these attacks, they aren't going to click on the link and infect their system.

Even though "fear" is well-known social engineering technique, if you examine the attack it doesn't make very much sense. After all, the last time I checked, a subpoena delivered via electronic communication wouldn't be legally binding. It's probably a no-brainer that federal courts wouldn't issue a subpoena via an e-mail.

Sadly, more employees fall for phishing attempts than many might realize. In fact, some organizations are now testing their own employees with scary results. Most recently, this was done by both the U.S. Army and the IRS.

Update 4/19/08: The FBI announced that a new phishy e-mail is circulating regarding a grand jury summons. Not sure if this is a tie in, but as Alex Eckelberry lamented on the Sunbelt blog -- phishing attacks are becoming more specifically targeted and the intent might be more than to steal financial information. Of course, that's not to say there isn't financial motivation involved, there normally is.

1 comment:

Anonymous said...

It is kind of a whaling attack targeting big fishes in corporate offices like CEO’s, top executives and managers.

“This is one of the best phish e-mails I've seen in the past 6 years” quoted by Mr. Steve Kirsch, a well known Silicon Valley entrepreneur

Remember, that it is not legal to send subpoena via emails unless it is agreed by the people. Also All US Federal courts have URLs of the form “” and not in the form
“” mentioned in email. So Beware of these kinds of mails. The Abaca Email Protection Gateway ( service was the only service I know that quarantined these emails.