CEOs targeted by subpoena spam

Share this article:
Thousands of chief executives in the United States were targeted Monday by a new round of phishing emails that claim to contain a subpoena ordering recipients to testify in federal court.

Instead, the executable file said to contain the subpoena actually is an information-stealing trojan, John Bambenek, a handler at the SANS Internet Storm Center and an information security researcher at the University of Illinois in Champaign, told

"The idea was a very good one," he said. "People see a subpoena and they're like, 'Oh my,' especially a CEO."

The malicious executable creates a browser-helper object (BHO) and opens a hidden window in Internet Explorer, which communicates with a command and control center in Singapore and can install malware, such as a keylogger, Bambenek said. The BHO also steals digital certificates installed on the recipient's computer.

"Since you're talking about CEOs of companies, that could potentially be big," he said. "People can authoritatively send out emails or notifications as a CEO of a company and digitally sign them."

The scammers behind this digital assault were the same individuals responsible for fake emails purporting to be from the Better Business Bureau, Bambenek said. However, the senders were sloppy in their latest run.

"If you paid attention, there were lots of clues that this wasn't kosher," he said. "The biggest one is that you're not going to get served over email. The court would simply not take it seriously. You have to be served the old-fashioned way."

Other giveaways that the email is a hoax include invalid headers, bogus case numbers and grammatical and spelling errors, he said.

The emails, though, come packed with social engineering tactics, including the recipient's full name, company name and work phone number, which distinguish them from run-of-the-mill junk mail, said Sam Masiello, director of threat management at MX Logic.

"By targeting C-level executives, the technique used in this type of attack is called 'whaling,'" he said. "It is called whaling because they are trying to get the largest fish that they can on the hook, people who are generally more affluent and stand more to lose, both personally and professionally."

Share this article:

Sign up to our newsletters

More in News

AOL Mail hack furthers spam campaign using spoofed accounts

AOL confirmed on Monday that it was aware of the issue and working to remediate the situation.

Backdoors in Wi-Fi routers, said to be closed, can be reopened

Backdoors in Wi-Fi routers, said to be closed, ...

Although said to be patched, researcher Eloi Vanderbeken discovered during the Easter holiday that backdoors existing in certain wireless routers can be reactivated.

Apple ships Mac OS X updates, fixes several code execution bugs

Apple ships Mac OS X updates, fixes several ...

Among the addressed vulnerabilities, was a bug affecting WindowServer, which could allow an attacker to execute malicious code outside the sandbox.