Posted on 04/23/2008 6:06:15 AM PDT by TigerLikesRooster
From Times OnlineApril 23, 2008
Executives harpooned by online 'whalers'
Spies and conmen target bosses in e-mail attacks to install malicious software with access to most privileged data
Jonathan Richards
Corporate bosses have become the latest target of cyber-criminals, after a string of attacks in which senior management have been singled out to receive fraudulent e-mails.
Internet fraudsters have taken to sending personally addressed e-mails to chief executives and other high-level executives with a view to installing malicious software on computers that have access to the most privileged company information.
In the latest e-mail scam, known as "whaling" because it targets "the big fish", executives are sent official documents — for instance, court subpoenas — that apparently relate to the business of senior management.
The employees singled out are typically "C-level", meaning chief financial officers, chief technology and information officers, as well as those in other sensitive parts of the company, such as accounts.
The hope is that recipients will click on a link in the e-mail which directs them to a website that installs a malicious programme on their machine.
Criminals can then gain access to highly sensitive company secrets, such as financial details, news of impending product releases, results of recent research and other information that may enable them to make money on the stock market.
Among the firms known to have been targeted by the scam, which is a variation on well-known phishing e-mails that have hit banks, are those in the arms and energy industries.
In the case of sensitive industries such as defence, those responsible for sending the e-mails may include not only cyber-criminals but foreign governments, experts said.
"You never really expect to see that scenario, which is straight out of Hollywood fiction, but in the case of weapons companies, there probably is some espionage element," Mary Landesman, a senior researcher at ScanSafe, the security firm, said.
In the latest example, chief executives at more than a hundred companies based in the San Fransisco area were sent a personally addressed e-mail commanding them to appear before a grand jury in a district court.
The e-mail specified the date and time of the court appearance, contained reference to specific "Federal Rules of Civil Procedure", and was written in apparently convincing legal language, including expressions such as "this subpoena shall remain in effect until you are granted leave to depart by the court or by an officer on behalf of the court".
The correspondence was also configured so that it came from an address that ended in 'cacd-uscourts.com', a quite close approximation to the typical internet domain for American courts — courtname.uscourts.gov.
Whaling e-mails have for the most part targeted US executives, but security experts said that the scam would almost certainly "jump the pond" and warned senior management in the City to be vigilant.
"If you're an executive in a FTSE 100 company in a sensitive industry, then you need to be very cautious about e-mail and understand that you're a target," Ms Landesman said.
In some cases the e-mails have also made reference to known family members of the executive, gleaned for instance from social networking sites, where members will often post information about what their friends or relatives do for a living.
"Networking sites are starting to play a big role in online scams," Guy Bunker, chief scientist at Symantec, another security firm, said.
"It's on those sites that criminals are learning, for instance, that so-and-so works in accounts at such and such a company."
"Social engineering", the practice by which criminals exploit human curiosity to gain access to information — for instance by pretending they are an employee at a company — is an area of increasing focus for the security industry, and was a big theme at this week's InfoSec conference in London.
Greg Day, a security analyst for McAfee, said: "As we spend more and more time on the internet, our digital fingerprint is simply getting bigger and bigger, and that makes for greater opportunities for people to gather information about us."
Ping!
If you are too vocal about China, Ministry of State Security could pay “undetected” visit to your computer. They have enough people to mind loud-mouthed sardines.:-)
And we all know what happens to sardines.
As computer costs keep dropping, would it not make sense for ‘whales’ to have two completely separate machines, one for e-mail/internet and one for other business functions. I know that would make some operations awkward, but it would be far more secure...
This stuff is coming for everyone, eventually. In the old days, you needed a good fence, a sturdy door, and a solid lock - and a shotgun, too, for those extreme emergencies. I suspect that this kind of software will be waiting to target anyone for anything - employee vs employee, with one looking for info to the other fired; employer vs employee, looking for violations, either real or planted by the software itself; employee vs employer, ditto.
For me, it starts with what I post at sites like this. Sure, I have a psuedonym, which I believe to be totally insecure. Anyone can find out who I am if they try hard enough. So I make sure what I write can’t be used against me. I’m also very circumspect about what I do online, too - which isn’t hard if you lead a life which is based on Christian values, although I’ve fallen off the wagon a few times. In any case, that doesn’t prevent fraud or deciet with my name on it. I have firewalls with firewalls; backed up data outside the grid; and I can see where someday we’ll have to have our own software watchdogs looking for trouble. *sigh*
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.