All Top Banking

High Rankings Execs Get Whaled On...

Posted by John B. Frank Tuesday, May 6, 2008

Editors Note: Whaling is the term used when "phishing" attacks are aimed at the "big fish." (i.e. senior ranking executives) Once harpooned, they unwittingly download and install software which allows remote control of the computer. Keystrokes, financial data, screen scrapes (creating a .jpeg picture or screen capturing) passwords, etc. can then all be captured.

I find it interesting that the success rate of these types of attacks is higher than when attacking the general public. In this case, phony subpoenas were used as the lure. The story mentions that unlike the phony, spelling mistake laden emails that gave "phishing" its name, this new trend involves the use of more professionally crafted and believable storyline/designs. However, one would think that high level executives would have "caught" at least one of two blatant "giveaways," Sending, and thus receiving a subpoena via email would be one, the other was the email itself directing them to a non-government site. Common sense is an important commodity, never underestimate its power.

On the subject of common sense. If a floating PIN Pad was designed to prevent "keylogging", what aspect of the design would prevent "screen scraping? Seems to me that if a hacker had remote control of the computer, they would have remote control of the "Prt Sc" button and be able to print the screen everytime you moused over the floating PIN Pad and clicked it.

Here's the article:

SAN FRANCISCO (AFP) - US federal court officials have warned that hackers are emailing phony subpoenas embedded with malicious software to high-ranking executives to steal valuable corporate information.

Thousands of powerful US executives have received the bogus emails that contain links which,
if clicked on, install software letting hackers take control of computers and swipe passwords or other sensitive data. Internet security insiders refer to the attacks as "whaling" because they use social-engineering trickery involved in "phishing" but target individual "big phish" instead of casting nets in a sea of Internet users.

"The success rate was incredibly high," Websense Security Labs manager Stephan Chenette told AFP. "Most likely due to the nature of the content and the real data, the emails had their exact names and legal language in there that made it seem like a serious subpoena."

The emails are crafted with the seal of the US federal court in
San Diego, California, and are addressed to executives using their names, addresses and other individual details.

Clicking on a link to see a "subpoena" displays a realistic looking document and stealthily installs malicious computer code in the reader's computer.
"When the recipient tries to view the document, they unwittingly download and install software that secretly records keystrokes and sends the data to a remote computer over the Internet," court officials said in their warning.

"This enables criminals to capture passwords and other personal or financial information and starts software that allows the computer to be controlled remotely."


Subpoenas in the United States are usually served in person to assure judges that the orders from courts have been properly received by those named.
US investigators believe the hackers are not familiar with the court system because the website executives are directed to use a "uscourts.com" domain name while actual court online addresses typically end in ".gov." Aspects of writing in the messages appear British, according to police.

Among the targets have been executives at banking giant CitiBank,
Time Warner-owned America OnLine and Internet auction house eBay, according to the courts. There is a trend toward more convincing, targeted "whaling" attacks, according to Chenette, who says to be wary of supposed court or tax department emails.

Trick emails with giveaway spelling errors of the kind that gave "phishing" its name are giving way to well-crafted, believable messages honed using confidential information about targets. "The future of spam is to become more evasive and successful," Chenette said. "It is always a cat and mouse game ... a very real game."

0 comments

Post a Comment

Powered by Blogger.

Blog Archive

Search This Blog

Our Manufacturing Facility

Learn More About Us

Find out how our patented technology can empower your financial institution.

Our secure two-factor online banking authentication eliminates dangerous passwords and usernames and replicates the same trusted process used to access cash at ATM's. (Insert Bank Issued Card, Enter Bank Issued PIN)

There is an R.O.I. as FI's also earn recurring revenue from each transaction conducted using our PCI 2.0 Certified PIN Entry Device. Our technology also provides a unique real-time P2P "Instant-Transfer" which allows your online banking customer to transfer cash from ANY of their bankcards to ANY other bankcard...with the Swipe of a card.

Help your bank eliminate phishing and your customers avoid identity theft by providing them with the ability to stop typing and start swiping. There is no safer way to conduct financial transactions online than by 3DES DUKPT encrypting the cardholder details, which we do at the mag-head "inside the box/outside the browser."

Total Pageviews

SLIM for PC or SmartPhone

SLIM for PC or SmartPhone
Click to Inquire

Chip and PIN eCommerce and Mobile

Chip and PIN eCommerce and Mobile
Click to Inquire

Kapersky Calls for Mass Adoption of Card Readers

Kapersky Calls for Mass Adoption of Card Readers

Translate This Blog

BobCaps

Search ePayment News (example: NFC)

About Me

My photo
Named one of the best Payment Industry News Blogs 4 Years Running

Feedjit

My Zimbio