Apr 21 2008
If your CEO received an email stating that you’re company was being sued in Federal court and that he had to install software to view the court documents properly, what are the chances that he’d do it without thinking? They’re probably pretty good, since the fear of a lawsuit would outweigh any concern over malware, if yours is a CEO who’s prone to even think about security when it comes to their computer. Network World is stating that this may be one of the biggest examples of spear phishing so far. And the reason it works is because it does such a good job of playing on one of the biggest fears many CEO’s have, getting sued.
I’ll be honest, even as a security professional, I might have fallen for this one. It’s scary the amount of detail that went into crafting these emails. The name, address, phone number and other corporate information is correct, eliminating one of the easiest ways to determine if an email is spam or a phishing attack. The same group is suspected of being responsible for a similar attack last month. Given that Verisign says that over 1800 CEO’s have been compromised, that’s a lot of corporate information that’s now in the hands of criminals, even if only a small fraction of those result in data leakage. To make matters even better, the major AV vendors can’t even catch the malware used on this one; this backs up a comment I heard on PauldotCom recently stating that even the best AV vendors are missing 20-30% of all viruses out there today.
This is a really good argument for egress filtering on the firewalls. That’s not enough by a long shot, but it’s a start. We can’t prevent our CEO’s from installing software and we can’t blame them if our anti-virus/anti-malware manufacturers can’t catch this stuff. The best we can hope to do is limit the impact of a compromise such as this. Next time your CEO wants access to the company databases, point him to this article as a valid reason to just say no.