Apr 21 2008

I might have fallen for this

Published by at 9:29 am under Hacking

If your CEO received an email stating that you’re company was being sued in Federal court and that he had to install software to view the court documents properly, what are the chances that he’d do it without thinking? They’re probably pretty good, since the fear of a lawsuit would outweigh any concern over malware, if yours is a CEO who’s prone to even think about security when it comes to their computer. Network World is stating that this may be one of the biggest examples of spear phishing so far. And the reason it works is because it does such a good job of playing on one of the biggest fears many CEO’s have, getting sued.

I’ll be honest, even as a security professional, I might have fallen for this one. It’s scary the amount of detail that went into crafting these emails. The name, address, phone number and other corporate information is correct, eliminating one of the easiest ways to determine if an email is spam or a phishing attack. The same group is suspected of being responsible for a similar attack last month. Given that Verisign says that over 1800 CEO’s have been compromised, that’s a lot of corporate information that’s now in the hands of criminals, even if only a small fraction of those result in data leakage. To make matters even better, the major AV vendors can’t even catch the malware used on this one; this backs up a comment I heard on PauldotCom recently stating that even the best AV vendors are missing 20-30% of all viruses out there today.

This is a really good argument for egress filtering on the firewalls. That’s not enough by a long shot, but it’s a start. We can’t prevent our CEO’s from installing software and we can’t blame them if our anti-virus/anti-malware manufacturers can’t catch this stuff. The best we can hope to do is limit the impact of a compromise such as this. Next time your CEO wants access to the company databases, point him to this article as a valid reason to just say no.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

6 responses so far

6 Responses to “I might have fallen for this”

  1. kurt wismeron 21 Apr 2008 at 1:07 pm

    actually, i think this is a really good argument for a) treating all new software as suspicious, and b) using untrusted software (if at all) in a virtual machine or some other sort of sandbox (or better yet on a ghostable test machine that’s partitioned off from the ‘trusted’ network if you’re in that sort of environment)…

    that probably sounds paranoid (though it’s been said that a certain level of paranoia is healthy), but even if it turned out to not be intentionally malicious who wants crud from some one-time-use application cluttering up their main pc?

  2. Don Nollon 21 Apr 2008 at 2:55 pm

    I saw a similar attack back in 2006 with Better Business Bureau faked letterhead, was mailed to the CFO of consulting client of mine.

  3. Sam Van Ryderon 22 Apr 2008 at 8:47 am

    I don’t understand why anyone would fall for this. Since when are subpoenas served via email? The only reason I see someone falling for this is because they are not technically astute (such as a lawyer or exec), but I would expect at least some level of suspicion from anyone else (quite frankly, even from an exec). I could see an attorney falling for this out of curiosity – but not because they thought it was a real subpoena.

    Certainly, Martin – you couldn’t fall for this one!

  4. randyon 22 Apr 2008 at 9:17 am

    “We can’t prevent our CEO’s from installing software”

    I’d just like to state that we absolutely can stop them from installing software. If we set their account to that of a limited user, they’ll be prevented from installing software, and most importantly ActiveX controls. This means that if AV works or not, it still can’t be installed. If AV works, that’s just an added bonus.

    If they want software installed, it should be done through the proper channels; the same ones everyone else in the company follows. Besides, they have more important things to do than figure out how to get some piece of software up and running. Shouldn’t they be focused on the business while someone from the helpdesk figures the software out?

    If your CEO has admin rights this event is a perfect reason to justify taking them away.

  5. Martinon 22 Apr 2008 at 9:23 am


    I wouldn’t know that subpoenas are never sent via email and I wouldn’t be surprised to find out many CEO’s are equally ignorant. This is an appeal to emotions, specifically fear, and we all let fear overcome common sense from time to time. My natural paranoia probably would have stopped me before I clicked on anything, but not necessarily.


  6. Martinon 22 Apr 2008 at 9:25 am


    We can stop the CEO in theory, but too many of them take the attitude that “it’s my company, I’ll have all the power I want!” You know this as well as I do. I’d love it if the majority of C-level execs would let IT and Security do their job, but the reality in too many businesses is that their ego makes them want to be the administrator on their machine.

%d bloggers like this: