Application security, Threat Management, Incident Response, Malware, Phishing, TDR

CEOs targeted by subpoena spam

Thousands of chief executives in the United States were targeted Monday by a new round of phishing emails that claim to contain a subpoena ordering recipients to testify in federal court.

Instead, the executable file said to contain the subpoena actually is an information-stealing trojan, John Bambenek, a handler at the SANS Internet Storm Center and aninformation security researcher at the University of Illinois inChampaign, told

"The idea was a very good one," he said. "People see a subpoena and they're like, 'Oh my,' especially a CEO."

The malicious executable creates a browser-helper object (BHO) and opens a hidden window in Internet Explorer, which communicates with a command and control center in Singapore and can install malware, such as a keylogger, Bambenek said. The BHO also steals digital certificates installed on the recipient's computer.

"Since you're talking about CEOs of companies, that could potentially be big," he said. "People can authoritatively send out emails or notifications as a CEO of a company and digitally sign them."

The scammers behind this digital assault were the same individuals responsible for fake emails purporting to be from the Better Business Bureau, Bambenek said. However, the senders were sloppy in their latest run.

"If you paid attention, there were lots of clues that this wasn't kosher," he said. "The biggest one is that you're not going to get served over email. The court would simply not take it seriously. You have to be served the old-fashioned way."

Other giveaways that the email is a hoax include invalid headers, bogus case numbers and grammatical and spelling errors, he said.

The emails, though, come packed with social engineering tactics, including the recipient's full name, company name and work phone number, which distinguish them from run-of-the-mill junk mail, said Sam Masiello, director of threat management at MX Logic.

"By targeting C-level executives, the technique used in this type of attack is called 'whaling,'" he said. "It is called whaling because they are trying to get the largest fish that they can on the hook, people who are generally more affluent and stand more to lose, both personally and professionally."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.