Fake Subpoenas Sent To CEOs For Social Engineering 112
An anonymous reader writes "The Internet Storm Center notes that emails that look like subpoenas are being sent out to the CEOs of major US corporations. The email tries to entice the victim to click on a link for 'more information.' According to the ISC's John Bambenek: 'We've gotten a few reports that some CEOs have received what purports to be a federal subpoena via email ordering their testimony in a case. It then asks them to click a link and download the case history and associated information. One problem, it's [totally] bogus. It's a "click-the-link-for-malware" typical spammer stunt. So, first and foremost, don't click on such links. An interesting component of this scam was that it did properly identify the CEO and send it to his email directly. It's very highly targeted that way.'"
Re:You already have real problems. (Score:4, Informative)
Re:Subpoena by *email* ?? (Score:5, Informative)
BUT, if the only known way to contact a defendant or witness is by email (if, for example, their real names or addresses are unknown), then a court can authorize that as an alternative form of service. It's up to the court to decide if email would give sufficient notice and other means are impractical.
Here, of course, there's no reason to think that sending certified mail or a process server wouldn't work -- a corporate CEO isn't hard to find and service on a company can almost always be done through the state's secretary of state.
But, that doesn't mean that electronic subpoenas are never possible, as you suggest.
CEOs read email? (Score:1, Informative)
Re:I have been saying this... (Score:5, Informative)
The real danger lies elsewhere. Stories like this and the cyber-war story about the US and China are the ones that you need to follow and think about.
It looks a lot like the butterfly effect http://en.wikipedia.org/wiki/Butterfly_effect [wikipedia.org] in the fact that one small chance encounter or small piece of information can greatly affect the outcome of a particular chain of events. Your company makes cheeseburger boxes for a company whose CEO, in turn, is a friend of or associate of some political figure. This information is gleened from your system via email, and phishing email is used to get that political figure to open an email which is a dupe of a previous email sent, but contains an active-x payload... this in turn leads to more serious and useful information down the road... and viola! you have enough for a hack on the RNC mail server...
That is how spying works, a little bit at a time, patiently looking for a chink in the armor.
Reminds me of the information security training I had to take before starting my job here at a national lab. First, we watched a video in which an ex-KGB boss who now provides security consulting worldwide says, "Do not think that because you are low-ranking or do not work with classified information, that you are not a potential target for espionage" and goes on to tell us how almost certainly at least a few of the people we work with have been or will be targeted for espionage or potential defection. Then we were told how several pieces of non-classified information can be put together to create classified information, even unintentionally.
Even if you don't work for the government, you have to be really careful if you want your data to be secure.
Re:Boss got this yesterday (Score:2, Informative)
I was hit by it... (Score:5, Informative)
Then I noticed that it was a grand jury for a civil trial. So I'm wondering, do they use grand jury's for civil trials? It was in California, so I thought maybe they somehow did. Then, I could see that they wanted a credit card to get the information. Big red flag, but it used pricing by the page - so I thought only the government could dream up something like this and maybe it was legit. Finally, the domain name for the link to the credit card page looked okay, but it was phony.
All and all, I'll bet a number of people fell for it because the targeting was so good.
Re:Subpoena by *email* ?? (Score:5, Informative)
Most states have similar laws that allow service by any practical means if conventional methods fail.
Re:Subpoena by *email* ?? (Score:2, Informative)
A few phone calls and cross-checks with other resources later, it turned out to be valid.
Re:Hmmm.... (Score:3, Informative)
Re:Boss got this yesterday (Score:2, Informative)
Re:Subpoena by *email* ?? (Score:1, Informative)