Whale Phishing Attack on Executives Spoofs Tax Notification
A new whaling or a phishing attack that aims at high officials, using a hoax US Tax Court notice as a lure, has victimized about 600 people, according to SecureWorks, provider for Internet security, on June 3, 2008.
Researchers at the company indicate that the sender of the phishing e-mail seems to be a Chinese hacker also known for launching many attacks earlier this year (2008) on C-level executive officials. Those attacks pretended to be legal notifications from the Internal Revenue Service or a federal court and embedded a link on the e-mail message to prompt document downloads.
However, in the new attack that also prompts for downloading a fake document actually installs a spyware masked behind an Adobe Acrobat ActiveX control. The spyware installation takes place via a certificate download from a fake certifying authority that uses the VeriSign Trust Network name. By successfully loading the fake certificate onto the targeted computer, the attacker can conveniently re-infect the system as it automatically imposes faith on the attacker's code.
Meanwhile, the spyware that hunts for client certificates to access the user's sensitive and financial account information is already known since it fell into many anti-virus traps. Moreover, when the fake certificate gets installed, a number of warnings get generated on the browser, requiring that the user authorize the installation.
However, there are clues regarding the e-mail's nature such as its sender appears to be the 'United State Tax Court,' where the second 's' is missing from 'States.' Further, the URL shown within the link for downloading the assumed document is 'ustax-courts.com' instead of .gov.
Moreover, the URL that hosts the spyware links to an IP address of a server that operates under the control of China Network Communication Group in Beijing. Also, the kind of Chinese characters used for imprinting the executable code suggests that the compiler possibly belongs to Hong Kong or Taiwan instead of the mainland.
In other related news, the VeriSign iDefense Security Intelligence Services indicated that about 6,000 similar phishing messages have been sent out, leading to approximately 600 infections, of which 120 were still forwarding information to a remote hacker as on June 2, 2008.
Related article: Wal-Mart’s Website Subjected to SQL Attacks
» SPAMfighter News - 13-06-2008