Phishing Scam Targets Corporate Execs
The phishing message, which mimics legitimate subpoenas from the United States District Court in San Diego, contains a highly targeted message that includes the recipients' name, phone number, company and correct e-mail address. Users are further deceived by the e-mail's official-looking URL.
Once opened, recipients are requested to click a link and download and entire copy of the subpoena, along with case histories and associated information.
However opening the link ultimately installs information-stealing malware -- keystroke loggers that record passwords and other personal data -- which it then sends to the remote attackers. Experts say that the cyber criminals will likely use the acquired information to infiltrate other systems, or to sell in underground criminal economy.
The U.S. District Court, Central District of California posted an advisory on its Website warning users about the attack. The advisory said that the court's administrative office had notified the FBI regarding the matter. Meanwhile, a posting on the SANS Institute Web site also advised users who receive subpoenas via e-mail to take them to lawyers.
Security experts say that this recent attack is known as "spearphishing" or "whaling" -- enticing high-level executives with more access to critical and financial information to open a link or visit a malicious Web site, usually through a social engineering tactic. Unlike other mass mailers, these attacks are highly targeted, and usually contain the victim's name and other personal information.
Security experts maintain that these attacks are much harder to detect with traditional filters due to their individual-specific nature, which makes them extremely effective. "This is not the type of phishing you saw in the past. This is very targeted to a specific audience with a message that can relate to them," said Boris Yanovsky, VP of software engineering at SonicWall. "They don't ignore it. They're obligated to look at it and respond to it in some way."
Yanovsky said that the latest attack parallels a trend of phishing attacks that have become very specialized as spam filters have become more effective at catching bulk e-mail. "There are a lot of spam filters out there," he said. "So (the criminals) are really retargeting. If they can create a more concentrated attack, the attack will be much harder to detect."
"With spyware it became about professionals making money. Whenever there's money involved, things start to take a different meaning," Yanovsky added.
To protect against phishing attacks such as this one, researchers at Abaca, a security vendor based in San Jose, Calif., suggested that users find out whether current spam filters have a phishing detection mechanism and look for misspelled names and typos in the body of the message. In addition, researchers advise against downloading any software from an unknown source, and suggest that users distrust anything in an unsolicited e-mail, regardless of how legitimate it might appear -- particularly if that e-mail asks them to visit a Website.
If anything, security experts maintain that this latest phishing trend demonstrates the need for corporations to replace traditional signature-based antivirus and spam filtering software with more comprehensive, multilayered solutions that include content filtering, intrusion prevention and gateway antispyware.
"With data being the crown jewels of an organization, coupled with the ease of customization of attacks, we are seeing new channels of data loss," said Faizel Lakhani, vice president of products and marketing for Reconnex. "Today organizations cannot depend on pre-defined mechanisms like signature based antivirus or rules based data loss prevention to protect them, rather need systems that can quickly learn what is important and from whom."
Pre-defined systems are similar to setting your address book on your cell phone once, and then never being able to add to it, versus phones that ask you if you want to add a number to your directory," he added. "I don't know about you but I can't live with adding people to my cell phone."