Wednesday, April 16, 2008

Spear phishing for CEOs

No matter how often people are reminded that they shouldn't click on links in unexpected emails, and that they shouldn't download software from an unknown source, there are still victims. Even highly-placed, affluent victims. The kind phishers really like.

A ComputerWorld story by Robert McMillan details a recent example.
Panos Anastassiadis didn't click on the fake subpoena that popped into his in-box on Monday morning, but he runs a computer security company. Others were not so lucky.

In fact, security researchers said that thousands have fallen victim to an e-mail scam in which senior managers such as Anastassiadis are told that they have been sued in federal court and must click on a Web link to download court documents. Victims of the crime are taken to a phony Web site where they are told they need to install browser plug-in software to view the documents. That software gives the criminals access to the victim's computer.

This type of targeted e-mail attack, called "spear phishing," is a variation on the more common "phishing" attack. Both attacks use fake e-mail messages to try to lure victims to malicious Web sites, but with spear phishing, the attackers try to make their messages more believable by including information tailored to the victim.
The troubling thing is that so many reputable sites legitimize phishers by asking people to do the same things: Click on this link to log in to your account. Download this plugin to view your bill.

If you're used to getting such messages from your bank, the phone company, and your health insurer (not to mention your professional society), you will likely not be so wary when you get a message that is only pretending to be from one of them, or that is pretending to be from some important organization that you deal with less frequently, like the Federal courts or the IRS. I must get a dozen such messages a week.

Shame on ACM! Shame on Verizon Wireless! Shame on Blue Shield of California! And the list goes on... But kudos to Wells Fargo!

Labels: ,


Comment by Blogger victor louis:

It is kind of a whaling attack targeting big fishes in corporate offices like CEO’s, top executives and managers.

“This is one of the best phish e-mails I've seen in the past 6 years” quoted by Mr. Steve Kirsch, a well known Silicon Valley entrepreneur

Remember, that it is not legal to send subpoena via emails unless it is agreed by the people. Also All US Federal courts have URLs of the form “” and not in the form
“” mentioned in email. So Beware of these kinds of mails. The Abaca Email Protection Gateway ( service was the only service I know that quarantined these emails.

11:40 PM  

Post a Comment