Hoax Subpoena E-Mails Shine Light on 'Spearphishing'
- By Jabulani Leffall
- 04/25/08
Last week, hundreds of executives at some of America's most well-known companies
received e-mails that they probably didn't want to get--even if those messages
weren't a hoax.
It was revealed Wednesday that as many as 2,000 top managers at high-profile
corporations nationwide received e-mail messages early in the week that looked
like an official subpoena from the Uited States District Court in San Diego, CA.
Though this hoax could have been worse, it still brings attention to the growth
of a certain modus operandi among many of the world's most sophisticated hackers:
targeted attacks under the guise of a friendly overture.
"As phishing attacks go, this one has been comparatively small. By some
estimates, the Monday wave tricked about 2,000 people and the second attack
on Wednesday scammed another 100," said Andrew Storms, director of IT security
operations at San Francisco, Calif.-based nCircle Network Security. "Though,
despite the small numbers here, this attack does highlight the new trend of
'spearphishing.' Spearphishing is the term used to denote a highly targeted
and incredibly customized version of the daily-seen phishing attack."
Since the incident, the real federal court for the Central District
of California has posted
an advisory on its Web site alerting users of the nature of the attacks
and admonishing them to report such incidents. Even the IT security think tank
SANS Institute got in on the act with notes on its homepage urging users who
receive subpoenas via e-mail to take them immediately to the company's in-house
counsel, private lawyers or federal law enforcement.
Security patches that guard against such attacks have also been relatively
prevalent in recent Patch Tuesday releases, more evidence that phishing is a
concern that isn't going away.
It All Started with Spam
Security experts say that at its roots, phishing is merely an appendage of an
age-old confidence scheme where curious, interested or greedy parties are reeled
in (hence the term "phishing") and their privileged information
stolen.
Like many others, Don Leatham of Scottsdale, Ariz.-based Lumension Security
traces the method back to the days of AOL, when dialing up to get on the Internet
sounded like fingernails scratching a chalkboard and the pages loaded slowly.