[ insider_reports_insider ]
US District Court Spoofed By Malware Criminals
David Utter
Staff Writer
2008-04-15
 Insider Reports RSS Feed
A wave of phishing spam tries to fake out recipients by spoofing a subpoena from a US District Court.
 | | US District Court Spoofed By Malware Criminals |  |
The key to successful phishing attacks comes from being constructed in a way to convince the recipient that the email is legitimate, and the action it calls for is harmless. If more people inspected such messages critically, few attacks would succeed, if any.
But they do, which leads into this tale from security vendor MX Logic. A copy of a new phish making the rounds appears on the company's blog.
This cleverly formatted but spelling challenged document focuses on prompting the recipient into performing a course of action: clicking on a link, in this case one purported to lead to documents related to a grand jury case.
Security pros can guess where that click leads next. Straight to the malware download, of course, but MX Logic also noted a couple of other points about the scam's targeting that makes it stand out:
This new scam follows this same basic social engineering tactic except it takes it one step further in that it also includes the phone number of the company being targeted. This is just another way that the scammers are attempting to establish legitimacy with their intended target since it doesn't look like your everyday, run of the mill type of spam.
By targeting C-level executives, the technique used in this type of attack is called "whaling." It is called whaling because they are trying to get the largest fish that they can on the hook; people who are generally more affluent and stand more to lose, both personally and professionally.
Logins secured via the malware keylogger from such executives, likely high wealth individuals, could lead to access to lucrative accounts at financial websites. If anything, this is another mark against the persistence of using single factor authentication for sensitive websites.
It seems to us the right course of action, at least in the US, would be for the financial industry to contribute people to a working group to determine a single standard second factor of authentication to implement. The government probably has to be involved, due to FDIC and regulatory concerns.
Whatever the case, it needs to happen sooner than later. Delays only aid the criminals who benefit from stealing single factor login details.
About the Author:
David Utter is a business and technology writer for SecurityProNews and WebProNews.
More insider_reports_insider Articles
Insider Reports RSS Feed
|
|
iEntry 10th Anniversary
RSS
Archive
