Bad guys go from ‘phishing’ to ‘spearphishing’
In the early days of Internet scams, it was pretty easy to spot the swindle. Fantastic stories about hidden millions were peddled, but they all carried some shady aspect. Spelling errors, grammar problems and the involvement of foreign countries all tended to let the cat out of the bag. Most folks were able to sniff out these scams.
So many CEOs were thrown for a loop when a new con showed up recently. This as-yet-unnamed attack took the form of an e-mailed grand jury subpoena from a U.S. District Court, and contained a link to a phony federal judiciary Web site that looked very much like the real thing. The fake Web site provides a link to download court documents. Clicking on this link prompts the user to install browser plug-in software to view the documents. The browser plug-in gives the bad guys access to the victim's computer.
Why was this scam so successful? For one, it contained accurate information such as the executive's name, company name and address, and the company phone number. The e-mail itself appeared very professional, formatted nicely with crisp embedded graphics, and replete with official language. It even made sense, as CEOs were told to report to courts that may actually have jurisdiction. For example, executives in Hawaii were told that they were being subpoenaed by a court in California. Most impressive, it contained no typographical errors whatsoever. Even the most technology-savvy CEOs were thrown for a loop.
This scam demonstrates how advanced the bad guys have become. Sure, the technological aspects are impressive, but the more interesting aspect is the selection of the target audience and the nature of the lure. It's scary enough to grab interest, and not so far fetched as to be implausible.
This type of targeted e-mail attack is called "spearphishing," a variation on the more prevalent "phishing" attack. Both use fake e-mails to entice victims to download malware. Spear-phishing, however, goes a step further and tailors messages to specific audiences.
As we've said before, there's an easy way to verify such e-mails. Instead of just following the link in the e-mail, close your browser, reopen it, and type in the URL of the soliciting organization -- www.uscourts.gov, in this case. By doing so, you would see a description of the scam, front and center on the official Web site of the federal judiciary. This may not always be the case, but if the official Web site does not make any mention of the e-mail solicitation you received, chances are good that it is a scam.
John Agsalud is president of ISDI Technologies Inc., an IT consultancy. E-mail him at
jagsalud@isdi-hi.com