One of this year’s most insidious spam and phishing campaigns targets the folks who have access to an organization’s most sensitive data: executives.
The attacks began with an early-summer flurry of malicious e-mails that were purported to be from the Internal Revenue Service and the Better Business Bureau. The messages specifically targeted senior-level corporate executives with phishing scams.
The messages informed recipients their company was the subject of a formal complaint. The execs who got the messages were told to click on an attachment to view the purported complaint.
Clicking on the attachment launched a “Trojan” that installed itself on the recipient’s computer. This piece of malware was in fact a keystroke logger that would upload everything typed by the user to a third-party Web site.
The cybercriminals who launched the attacks used this to collect sensitive info like passwords and account info.
The messages were aimed at high-level executives — CEOs, CFOs and COOs. The spammers put the targets’ individual names and the names of their companies into the messages.
The targets’ e-mail addresses were likely acquired by fishing for execs’ names on corporate Web sites. The spammers then blasted e-mails to common formulations of e-mail addresses based on those names.
The lesson: Be careful what you post on your corporate Web site. Talk to your communications folks about keeping the info behind a firewall or at least requiring registration on your site to access the info.
Company execs need to be vigilant about clicking on any attachments or embedded links they get in e-mail — even if the messge seems to be coming from an official government agency, such as the IRS, or even a trade organization.
And if an e-mail message asks for confirmation of passwords or ID’s, it would be a good idea to check with IT first before taking any action.