'Subpoena' spear phishing attacks mount

Reports surfaced last week of emails arriving with bogus subpoenas requesting the named chief executive to click on a link purporting to contain court documents.

The link actually leads to a plug-in that contains a Trojan with the ability to take over the victim's computer.

The reason this attack is so dangerous is that it is correctly addressed and identifies the chief executive by name.

European data security firm Norman said that the emails look very realistic and, unlike many other phishing attempts, use good grammar and spelling.

They contain the correct name of the company, the correct chief executive and can even contain the correct phone number, misleading the recipients into following the instructions.

The link, which appears to lead to the American courts, in fact leads to a server in China, and recipients are asked to install a plug-in to access the 'documents'.

By doing this the victims are in fact installing a Trojan that gives criminals access to data located on the computer.

The Trojan is installed in form of a digitally signed CAB archive which extracts a file called 'acrobat.exe'. This file installs 'acrobat.dll' that gives the Trojan access to all data that passes through the web browser and Windows Explorer.

Current reports show that an increasing number of chief executives have been targeted, and that the apparent legitimacy of the document is proving highly successful for the malware writers.

Trygve Aasland, chief executive at Norman, was one of the recipients. "This email appears legitimate and the technique is clever in that most people will want to discover the details of why and by whom they are being sued," he said.

"Fortunately I am very much aware of these attacks and we remained unaffected. But I can see how others may have been tricked into opening the link and installing the so-called plug in."