Panos Anastassiadis didn't click on the fake subpoena that popped into his
inbox on Monday morning, but he runs a computer security company. Others were
not so lucky.

In fact, security researchers say that thousands have fallen victim to an e-mail
scam in which senior managers such as Anastassiadis are told that they have
been sued in federal court and must click on a Web link to download court documents.
Victims of the crime are taken to a phony Web site where they are told they
need to install browser plug-in software to view the documents. That software
gives the criminals access to the victim's computer.

This type of targeted e-mail attack, called "spear-phishing," is
a variation on the more common "phishing" attack. Both attacks use
fake e-mail messages to try to lure victims to malicious Web sites, but with
spear-phishing the attackers try to make their messages more believable by including
information tailored to the victim.

The e-mail
sent to Anastassiadis, CEO of Cyveillance,
included his name, company's name and even the correct phone number, said James
Brooks, director of product management with the security vendor. "Given
the nature of our business, he suspected something right away and forwarded
it to our operations center."

However, Verisign's iDefense
division has tracked more than 1,800 victims who clicked on the message. "This
is probably one of the largest spear-phishing attacks we've seen to date in
terms of number of victims," said Matt Richard, director of iDefense's
Rapid Response Team.

Verisign believes that the criminals behind this scam are the same ones who
launched an attack last month that used fake e-mails that appeared to be from
the Better Business Bureau. And the U.S. courts have been warning computer users
for years now of an ongoing scam where victims are told that they have failed
to show up for jury duty and then asked to enter sensitive information into
a phishing site.

"The malware itself is not particularly interesting. It was clever that
it went straight to CEOs and it didn't really blast the whole world," said
John Bambenek, a security researcher at the University of Illinois at Urbana-Champaign
and volunteer at the Internet
Storm Center.

"For someone who doesn't know what a legal document looks like, it kind
of passes the smell test," he added. "When they see they've been subpoenaed,
people panic and they click on things they shouldn't."

The mail directs the victim to a Web site that ends in "...uscourts.com"
and is very similar to a legitimate .gov domain used by California courts, Bambenek
said. The Web server delivering the malware is based in China, while the computer
that then controls the victim's computer is based in Singapore.

The malware used in this scam was not
identified by the majority of antivirus companies, although most were updating
their software to flag it, Bambenek added.

By Monday afternoon, the Administrative Office of the U.S. Courts had posted
a note to its Web site, warning of the fake e-mails. "This is not a
valid subpoena," said Karen Redmond, a spokeswoman with the office. "Subpoenas
are not issued like that to individuals unless they're a party in the case."

The U.S. federal court system heavily relies on e-mail messages to help lawyers
communicate with each other and the court throughout cases, and IT staff in
legal firms have traditionally had to work hard to make sure that these messages
are not blocked by spam filters. Now they'll have one more thing to worry about:
whether the court notices they're getting are legitimate notices or an online
attack.

IDG News Service

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine