CEOs targeted by subpoena spam

Share this article:
Thousands of chief executives in the United States were targeted Monday by a new round of phishing emails that claim to contain a subpoena ordering recipients to testify in federal court.

Instead, the executable file said to contain the subpoena actually is an information-stealing trojan, John Bambenek, a handler at the SANS Internet Storm Center and an information security researcher at the University of Illinois in Champaign, told SCMagazineUS.com.

"The idea was a very good one," he said. "People see a subpoena and they're like, 'Oh my,' especially a CEO."

The malicious executable creates a browser-helper object (BHO) and opens a hidden window in Internet Explorer, which communicates with a command and control center in Singapore and can install malware, such as a keylogger, Bambenek said. The BHO also steals digital certificates installed on the recipient's computer.

"Since you're talking about CEOs of companies, that could potentially be big," he said. "People can authoritatively send out emails or notifications as a CEO of a company and digitally sign them."

The scammers behind this digital assault were the same individuals responsible for fake emails purporting to be from the Better Business Bureau, Bambenek said. However, the senders were sloppy in their latest run.

"If you paid attention, there were lots of clues that this wasn't kosher," he said. "The biggest one is that you're not going to get served over email. The court would simply not take it seriously. You have to be served the old-fashioned way."

Other giveaways that the email is a hoax include invalid headers, bogus case numbers and grammatical and spelling errors, he said.

The emails, though, come packed with social engineering tactics, including the recipient's full name, company name and work phone number, which distinguish them from run-of-the-mill junk mail, said Sam Masiello, director of threat management at MX Logic.

"By targeting C-level executives, the technique used in this type of attack is called 'whaling,'" he said. "It is called whaling because they are trying to get the largest fish that they can on the hook, people who are generally more affluent and stand more to lose, both personally and professionally."


Share this article:

Sign up to our newsletters

More in News

In Cisco probe, misuse or compromise spotted on all firms' networks

In Cisco probe, misuse or compromise spotted on ...

Cisco analyzed the business networks of 30 multinational companies last year, and revealed the findings in its 2014 Annual Security Report.

Fareit trojan observed spreading Necurs, Zbot and CryptoLocker

The Necurs and Zbot trojans, as well as CryptoLocker ransomware, has been observed by researchers as being spread through another trojan, known as Fareit.

Post Heartbleed, tech giants join initiative to bolster open source

Post Heartbleed, tech giants join initiative to bolster ...

The newly formed Core Infrastructure Initiative, created to boost under-funded open source projects, will tackle OpenSSL first.