Tuesday, May 6, 2008

High Rankings Execs Get Whaled On...

Editors Note: Whaling is the term used when "phishing" attacks are aimed at the "big fish." (i.e. senior ranking executives) Once harpooned, they unwittingly download and install software which allows remote control of the computer. Keystrokes, financial data, screen scrapes (creating a .jpeg picture or screen capturing) passwords, etc. can then all be captured.

I find it interesting that the success rate of these types of attacks is higher than when attacking the general public. In this case, phony subpoenas were used as the lure. The story mentions that unlike the phony, spelling mistake laden emails that gave "phishing" its name, this new trend involves the use of more professionally crafted and believable storyline/designs. However, one would think that high level executives would have "caught" at least one of two blatant "giveaways," Sending, and thus receiving a subpoena via email would be one, the other was the email itself directing them to a non-government site. Common sense is an important commodity, never underestimate its power.

On the subject of common sense. If a floating PIN Pad was designed to prevent "keylogging", what aspect of the design would prevent "screen scraping? Seems to me that if a hacker had remote control of the computer, they would have remote control of the "Prt Sc" button and be able to print the screen everytime you moused over the floating PIN Pad and clicked it.

Here's the article:

SAN FRANCISCO (AFP) - US federal court officials have warned that hackers are emailing phony subpoenas embedded with malicious software to high-ranking executives to steal valuable corporate information.

Thousands of powerful US executives have received the bogus emails that contain links which,
if clicked on, install software letting hackers take control of computers and swipe passwords or other sensitive data. Internet security insiders refer to the attacks as "whaling" because they use social-engineering trickery involved in "phishing" but target individual "big phish" instead of casting nets in a sea of Internet users.

"The success rate was incredibly high," Websense Security Labs manager Stephan Chenette told AFP. "Most likely due to the nature of the content and the real data, the emails had their exact names and legal language in there that made it seem like a serious subpoena."

The emails are crafted with the seal of the US federal court in
San Diego, California, and are addressed to executives using their names, addresses and other individual details.

Clicking on a link to see a "subpoena" displays a realistic looking document and stealthily installs malicious computer code in the reader's computer.
"When the recipient tries to view the document, they unwittingly download and install software that secretly records keystrokes and sends the data to a remote computer over the Internet," court officials said in their warning.

"This enables criminals to capture passwords and other personal or financial information and starts software that allows the computer to be controlled remotely."

Subpoenas in the United States are usually served in person to assure judges that the orders from courts have been properly received by those named.
US investigators believe the hackers are not familiar with the court system because the website executives are directed to use a "uscourts.com" domain name while actual court online addresses typically end in ".gov." Aspects of writing in the messages appear British, according to police.

Among the targets have been executives at banking giant CitiBank,
Time Warner-owned America OnLine and Internet auction house eBay, according to the courts. There is a trend toward more convincing, targeted "whaling" attacks, according to Chenette, who says to be wary of supposed court or tax department emails.

Trick emails with giveaway spelling errors of the kind that gave "phishing" its name are giving way to well-crafted, believable messages honed using confidential information about targets. "The future of spam is to become more evasive and successful," Chenette said. "It is always a cat and mouse game ... a very real game."

Disqus for ePayment News