Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec

Senior executive spear phishing fraud uncovered.

Norman Security : 18 April, 2008  (Technical Article)
Convincing E-mails of a legal nature target company executives with Trojan embedded.
Leading European data security firm Norman, has issued a warning over several targeted email attacks that are targeting CEOs. The email comes in the form of a false subpoena and requests they install a plug-in that is actually a trojan that has the ability to take over the victim's computer.

The sequence of events is as follows:

1 The CEO receives an email that looks like a subpoena addressed to them from the US District Courts in USA, stating they have been sued and need to view the court documents by clicking on a web link.

2 The email looks very realistic, and in contrary to some other phishing attempts the grammar in these emails is good. It also contains the correct name of the company, the correct CEO and might even contain the correct phone number. This misleads the recipients into following the instructions in the emails. When clicking the link, that seemingly is to the American Courts but in fact leads to Jinan, China, the users are asked to install a plug-in to access the documents.

3 By doing this the victims are in fact installing a trojan that gives criminals access to data located on the computer. Such data could include sensitive business or development data, passwords, strategy documents, payment information and so forth. The trojan is installed in form of a digitally signed CAB archive which extracts a file called acrobat.exe. This file then again installs acrobat.dll that gives the trojan access to all data that passes through the web browser and Windows Explorer.

Current reports show that there is an increasing number of CEOs that have been targeted using this 'spear phishing attack' technique and that the apparent legitimacy of this document has meant that a number of executives have been tricked into installing the Trojan. Trygve Aasland, CEO of Norman ASA was one of the recipients.

'This email appears legitimate and the technique is clever in that most people will want to discover the details of why and by whom they are being sued, fortunately I am very much aware of these attacks and so we remained unaffected but I can see how others may have been tricked into opening the link and installing the so called plug in' Said Trygve Aasland, CEO, Norman ASA

Norman's antivirus products detected this trojan through the unique Norman Sandbox technology.

Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo