SpearPhishing: Tax Courts Are Gonna Sue Ya!
A targeted spear-phishing attack aimed at corporate executives are shaking up some companies today. The emails look like notifications from the United States Tax Court that someone in the company has neglected to pay their taxes. Then the email urges the reader to download the full petition from a website, which of course contains a trojan horse program. Check out how this looked to executives at McAfee:
From McAfee’s blog here:
The scammers do their homework when it comes to spear phishing. Instead of pumping out millions of emails to anybody and everybody, spear phishers send out their scams only to people they know will be susceptible to the scam. In this case a top executive–rather than the average employee–is much more likely to be involved in a court case of this nature.
As long as you have email operating for your enterprise, Spear-phishing is the only cyber attack that can’t be defended.
And where do you think attackers harvest these email addresses from? My guess is the public filings at the SEC.gov website.
AW-SUM!
Actually – all of the email addresses are harvested from a data theft from salesforce.com sometime over a year ago. The same list was used for the Better Business trojans over the last several months.