The Ethical Hacker Network - Targetted attacks at CEOs

Latest Additions

Who's Online

Andrew Waite

Hero Member

Offline

Posts: 928

Targetted attacks at CEOs

« on: April 15, 2008, 04:19:40 AM »

Guys,

ISC has a story about a new 'click-the-link' email scam with a twist. It appears to be targetted at company CEOs claiming they have been issued a subpoena to give evidence in court. (Story here)

These sort of attacks appear to be gaining in popularity. From my experience this could be a scary trend as CEOs (and other director type roles) are often the least technically savvy in an organisation, along with often the worst security and patch level. I can't help thinking these are targets are going to be successful, and likely becoming less of a rarity.

<Update>
Forgot to mention, as is often the case AV covereage is poor 3/32 on VirusTotal
</update>

Who fancies interrupting a round of golf to ask the top man not to click the pretty links? (me neither...)


« Last Edit: April 15, 2008, 04:21:32 AM by RoleReversal »	Logged

-- http://www.infosanity.co.uk
-- http://blog.infosanity.co.uk

pseud0

Recruiters
Full Member

Offline

Posts: 208

Re: Targetted attacks at CEOs

« Reply #1 on: April 15, 2008, 09:05:57 AM »

We added this style of attack to our risk briefings for CISOs about 6 months ago. This is a version of the spear phishing attempts that have been gaining momentum, but the subpoena line is a new one to me. Good post.


	Logged

CISSP, CISM, CISA, GCIH, GREM, CEH, HMFIC, KTHXBIROFLCOPTER

sgt_mjc

Sr. Member

Offline

Posts: 294

Re: Targetted attacks at CEOs

« Reply #2 on: April 15, 2008, 09:54:12 AM »

Thanks for the heads up.


	Logged

Mike Conway
CISSP
CompTia Security +
C|EH

Kev

Sr. Member

Offline

Posts: 428

Re: Targetted attacks at CEOs

« Reply #3 on: April 15, 2008, 07:13:21 PM »

Several years ago there was marketing research done by a direct mail company to determine which mail people were most likely to open first. The number one winner was a notice from the IRS that might look like an audit and the second place winner was mail from an attorney office that might look like a lawsuit. I can testify to the accuracy of this research when I have done social engineering. One time I actually sent an email so obviously a hoax just to prove a point from a law firm I called Dewey, Cheatum and Howe and it stilled worked, LOL! The officer of the company was rather embarrassed later on when I brought it to his attention.


	Logged

sgt_mjc

Sr. Member

Offline

Posts: 294

Re: Targetted attacks at CEOs

« Reply #4 on: April 17, 2008, 09:33:27 AM »

Kev,

You truly are the lowest form of life on Earth. lol I'll bet he felt like a hoarses @$$ afterwards. Great use of social engineering and it goes to prove where the weakest link in any security is, the end user.