Phishing Attacks Disguised In Subpoenas Go For CEOs

By Dee Chisamera
12:18, April 16th 2008

Online criminality thrives and challenges even the tightest security systems. The most important thing to do: don’t fall for e-mails that look like an official subpoena from the District Court but ask you to follow a hyperlink. The CEOs of several companies have been the target of such phishing attacks, which at a first glance seem legit, but in reality they’re all part of a scam.

Among the CEOs who have been targeted by these attacks was Panos Anastassiadis, CEO of Cyveillance, a company that provides computer security services.

“While Cyveillance comes across thousands of phishing attacks, today’s is unique because it highlights the extent to which cyber criminals will manipulate emails to defraud the public,” Anastassiadis noted in a statement. “Through the personalization of fraudulent emails, spear phishers use reputable sources to add credibility to their attacks and create an extreme sense of urgency, catching victims offguard.”

The e-mail sent to several companies included the exact name of the CEO, the company’s name and phone number and appeared legit.

John Bambenek of SANS Internet Storm Center explained how these e-mails worked: “it asks them to click a link and download the case history and associated information. One problem, it’s total bogus. It’s a “click-the-link-for-malware” typical spammer stunt. So, first and foremost, don’t click on such links.”

What people should know, Bamnebek further noted, is that the United States Federal Courts do not sent subpoenas over e-mail: “While there is an Electronic Case Management System, initial contact for a subpoena, lawsuit or other process is done the old fashioned way... someone serving you the old fashioned way. Presumably, if you did already get served you would have a lawyer handling the case for you. In that instance, the lawyer, not you, would be getting electronic notices from the court after service has been handled.”

The advice is: unless you are a lawyer, you shouldn’t get these types of e-mails, and the advice is not to open them. The scam was thought so that once you follow the link and click download, you install a malware capable of stealing certificates in the system. So if you’re not sure if the e-mail is legit, consult with a specialist before opening it.