Spear Phishing Baits CEOs With Fake Subpoenas

Spear Phishing scams have lured thousands of corporate senior managers who fell victim to the e-mail scam technic.

Spear Phishing is when an e-mail or Web site asks users to click on a link that will result in the user downloading spyware or another malicious programming. The message employs social engineering tactics to convince the recipient. If a single employee falls for the spear phisher’s ploy, the attacker can masquerade as that particular individual and gain access to sensitive data.

Security researchers warn that a new type of targeted e-mail attack, called “spear-phishing,” is on the rise to lure victims to malicious Web sites.

Spear-phishing is a variation of the more common ” phishing” attack that tries to make their messages more believable by including information tailored to the victim.

Researchers say that thousands have fallen victim to an e-mail scam in which senior managers are told that they have been sued in federal court and must click on a Web link to download court documents.

Victims of the crime are lured to a fake Web site where they are told they need to install browser plug-in software to view the documents. That software gives the criminals access to the victim’s computer.

Some senior managers receive e-mails that are almost believable that include their full name, company name, and even the correct phone number.

Verisign’s iDefense division has tracked more than 1,800 victims who clicked on the e-mail. “This is probably one of the largest spear-phishing attacks we’ve seen to date in terms of the number of victims,” said Matt Richard, director of iDefense’s Rapid Response Team.

Most people have learned to be suspicious of unexpected e-mails requesting confidential information by luring victims to the criminal’s Web site. All phishing technics rely on the information given to them by the victim to launch an attack.

Typically, a spear phisher requests information such as user names and passwords or asks recipients to click on a link that will result in the user downloading spyware or another malicious programming. The message employs social engineering tactics to convince the recipient. If a single employee falls for the spear phisher’s ploy, the attacker can masquerade as that particular individual and gain access to sensitive data.