We've gotten a few reports that some CEOs have received what purports to be a federal subpoena via e-mail ordering their testimony in a case. It then asks them to click a link and download the case history and associated information. One problem, it's total bogus. It's a "click-the-link-for-malware" typical spammer stunt. So, first and foremost, don't click on such links. An interesting component of this scam was that it did properly identify the CEO and send it to his e-mail directly. It's very highly targeted that way.
Second, the United States Federal Courts do not "serve" formal process over email. While there is an Electronic Case Management System, initial contact for a subpoena, lawsuit or other process is done the old fashioned way... someone serving you the old fashioned way. Presumably, if you did already get served you would have a lawyer handling the case for you. In that instance, the *lawyer*, not you, would be getting electronic notices from the court **after service has been handled**.
FOR EVERYONE ELSE: If you get subpoenas, take it to a lawyer. Don't click on links. And most importantly, no one renders service through e-mail right now, and if you tried it wouldn't "count". If you have doubts, call the Clerk of the Court, the opposing party or a lawyer.
TECHNICAL DETAILS: The malicious code that gets downloaded is a CAB with acrobat.exe inside. There is good AV coverage of this right now it looks like. The malware then creates a Browser Helper Object (BHO) at %WINDIR%\system32\acrobat.dll and opens a hidden IE window to communciate to the command and control server. The BHO will also steal any installed certificates installed on the system. The C&C server is hard-coded to an ISP in Singapore at this time. (Thanks to Matt Richard of Verisign for the info).
UPDATE 13:04 CDT: Here is the VirusTotal results... guess coverage isn't that good. If you have someone infected, backup data and reinstall, targetted phishes like this ought to concern us more than general ones, and the only way to be safe is to "burn it down" and start over if an infection happens.
UPDATE 13:14 CDT: Here is another malware varient of the same thing, but VirusTotal only has 3/32.
Apr 14th 2008
1 decade ago