What were the 8 AV products that caught this?

Well, looks like we're back to morse code and smoke signals after all that...the Internets sure was fun, though!

Another case of -- to paraphrase an old Dial soap ad -- "Aren't you glad you use Linux and Firefox? Don't you wish everyone did?" :)

The rule is simple: nothing important in the legal sense ever happens by e-mail. That is, if your bank, the IRS, a legal entity or whatever has something important to say to you, they'll use snail mail, unless of course you have established the e-mail relationship beforehand.

Since few corporate executives are the first to review their e-mail -- that's normally handled by an assistant -- I can see how this particular approach can succeed.

But remember the rule: if you do not know the sender personally, you can disregard even the most frightening-sounding message.

Are these CEOs really stupid enough to believe that subpoenas are served via email?

What is the salary for those jobs. I PROMISE I'm smarter than that!

Is there some secret this guy is trying to protect? Why not have a link to a chart (OR ANYTHING) that lists all of the antivirus software that was tested. You mention 35 - what were they? You mention 8 detected the malicious code. What were they? What is the purpose of this article? Is it to mention that Microsoft alone detected the malicious code? You are suggest/implying that Microsoft's antivirus solution is the best? It is not clear. Are you reporting that there are hackers out there trying to "phish" their way into our bank accounts?

Actually folks, today filings in the federal court system are frequently performed by e-mail.

BUT SERVICE OF PROCESS IS ++++ N E V E R ++++ PERFORMED BY E-MAIL !!!

As a general rule, to obtain PERSONAL JURISDICTION over an individual, one must be personally served with legal process by either a US Marshal, a Sheriff, or a private process server [unless you sign for certified or registered mail.]

Many jurisdictions have provisions allowing for service of process by leaving the papers with someone of 'suitable age and discretion' at a family residence, i.e., an adult.

What are known as 'long arm statutes' allow for personal service of process outside of a state jurisdiction peoviding that 'significant contacts' have existed within the state serving the papers.

In rem jurisdiction allows for service to be effected against ASSETS within a particular state, even if the owner is not available for service within that state,i.e., vacation homes, etc.

WHEREVER A QUESTION OF SERVICE OF A SUBPONEA OR COURT PAPERS BECOMES AN ISSUE, SEEK IMMEDIATE LEGAL COUNSEL FROM A MEMBER OF THE BAR OF THAT JURISDICTION, or from a corporate counsel office if for your company elsewhere.

@ Woody Smith:

Yes, they are. I write web based applications for internal use where I work. The stupidity of user questions and problems using my apps increases in direct proportion to the users salary and rank in the organization.

"Aren't you glad you use Linux and Firefox? Don't you wish everyone did?"

The platform or browser is trivial here. The bad guys could have designed a malicious add-on for Firefox instead of Internet Explorer.

The real problem here is social engineering. As explicitly stated in the post:

"The bad guys are continuing to attack the weakest link in the security chain -- the end-user. While we're busy talking about malware, signatures and intrusion detection, users keep doing stupid things to get themselves owned."

>>>>>The platform or browser is trivial here. The bad guys could have designed a malicious add-on for Firefox instead of Internet Explorer.<<<<<

Blah........

read up some more on platform and browser security.

>>>>>The platform or browser is trivial here. The bad guys could have designed a malicious add-on for Firefox instead of Internet Explorer.<<<<<

Agreed, this would work in virtually any setting (OS X, Win32, *Nix) so long as a user can be convinced to click on arbitrary links and arbitrary installers. Not looking to start a flame war but virtually all platforms offer a method for users to install usermode applications from the Internet including browser plug-ins. Those that don't are no longer much fun.

How about we just isolate East Europe, Russia and China from the internet until they start cracking down on these guys?

>

40% of the phishing attacks come from US. Also, most of the stupid users are also in US. Aren't you, Nick? :)

http://atlas.arbor.net/summary/phishing

Nick wrote: "How about we just isolate East Europe, Russia and China from the internet until they start cracking down on these guys?"

Because, unfortunately, the U.S. is just as guilty of hosting and publishing malicious sites and software, respectively. I believe that this paper has already published a news story on that subject within the past 6 - 12 months.

Continued education on malware and social engineering-class attacks is truly the way to go. Those execs who don't get clued into the fact that they are a vulnerability will either get booted OR their organizations will get so hardily blacklisted by consumers tired of their $$ and identities being abused that they'll walk to the business across the street.

Seems like the need for a server-based solution for Anti-virus is becoming pronounced. I don't know why all ISPs cannot install these server-based products that can block viruses before it ever reaches the weakest link - the consumer... The ISPs have industrial strength spam blockers, why not virus blockers.. Maybe McAfee and Symantec is paying them off to not install those products..

Also, I'm not sure how money can be transferred out of an account. maybe they can create a vendor and pay a bill (?). As far as I know, this process takes some time at least to setup a vendor. Unless I don't know some feature available on these sites

@Hari

Many ISP's are scanning for malware as well as using spam filters. The same is being done in many businesses on multiple levels via gateway appliances and on e-mail servers themselves, not to mention desktop AV protections on individual computers. Problem is not that major AV vendors are colluding to allow bad stuff to pass, but that they are behind the curve in keeping up with the bad guys in detecting new types of malware. Signature based detection is failing (see link below). Instead they need to evolve to behavior based detection. Overall, it's an inexact science and a constant cat/mouse game.

And as discussed in the following link, the key is a layered defense and as already mentioned here, part of that defense involves the weakest link via educating the end-user on secure computing practices. It is human nature to be too trusting and curious to the point of self detriment. It takes education, a healthy practice of cynicism, and forcing oneself out of lazy habits to counteract these traits. Similar principles are evident in physical security.

http://blog.washingtonpost.com/securityfix/2008/03/dont_depend_on_your_antivirus.html

Bruce,
I hate to be the annoying guy that points out the exception to the rule. But Rio Properties, Inc. v. Rio International Interlink, Inc. (284 F.3d 1007), the 9th Cir actually did allow service of process via email. But it was a really weird set of circumstances where all the usual methods of service you described failed (something about an offshore internet gambling company).

But yeah, otherwise nobody will ever be served by email.

@Hari, If I click the link.... Are you in Romania? Remember people, always vigilant.

I was on here a few weeks ago to make the point that paying for AV software is a waste of money. Commercial AV manufacturers are scam artists just like the producers of the emails AV is supposed to protect us from.

When the big players can't handle the basics, why do should people pay for them?

Dump IE, go with safari, or just dump the whole IE platform and go mac. Either way, commercial AV has no credibility - go with the freeware and your own common sense.

What fascinates me about this story is that the scam e-mail "addressed each executive by name, and included their phone number and the name of their company" -- a classic way of making an e-mail look legit. And, which I have relied on, frankly.

I *assume* that the scammers had this detailed information from having earlier hacked various users' address books. Is this more likely to be the case if people use Outlook? I can understand wanting to have a unified address book, but I wonder if Outlook (which I don't use) could be built to segregate/protect everything but the e-mail address?

"...crooks in these scams"? Come on! After all of the scams, the fraud, outsourced jobs, looted retirement accounts, after all of the ahrm to this country done by that collection of sociopaths that compose CEO's (and corporate board members, corporate offiers, and Wall Street and Chicago "traitors"), you call someone who harms them "crooks"? For most of us, they are HERO'S!!!! The average Amercian views these snakes as the crooks that got us into the current economic mess. They and their friends are responsible for locking people into everything from cell phone contracts that secretly keep renewing to theft of medical records using any of a number of holes in the bogus federal and state "privacy" laws, they fire older workers and displace them with cheap guest workers from India and China, they sell our most secret military technology to China, and on and on. Anything whatsoever done to them amounts to just desserts!

Brilliant! Like to old Robin Hood joke about why he robs from the rich - they are the one's with money! And the targets here are probably the least sophisticated online users.
Maybe these guys can tap into some of that ridiculous pay these guys get!

The original [circa 1983] and true definition of "phishing" [often preceded by the word "gone"] referred to the act of going to a Phish concert, or series of Phish concerts.
Long live Trey, Mike, Page and Jon!

That fact that the execs were willing download this add-on, indicates that they thought they might be guilty of something...

Is this 'Federal Deposit Security Corporation' perhaps intended to be FDIC? Security and Insurance, as I am sure you'll agree, are different :^)

I'm with the first poster:
What were the 8 AV products that caught this??

Re: The 8 AV products.

I have been searching and looking all over the Net and can not find it. Brian, please share what you know, thanks.

D.

Why doesn't anyone use ICONIX to prevent phishers and scammers like this?

www.iconix.com

This spear-phishing attack was a classic example of Blended Threats that the users are faced with in the current hostile internet world. An attack like this could have been stopped at the internet gateway. Preventing such an attack would have required 3 different threat prevention technologies.

Preventing the email from getting to the victims was the job of the Anti-Spam software. Preventing the victims from visiting a fraudulent website would be the job of the content filter. Lastly a good anti-virus solution could have prevented the malware plug-in from being downloaded onto the victim's pc.

For a network administrator it is a formidable task to configure all 3 solutions to work in sync to prevent such threats, not to mention paying for 3 different solutions. Unified Threat Management solutions like Cyberoam (http://www.cyberoam.com) are your best bet against such threats as they provide you with the right synergy of Anti-Spam, Anti-Virus, Content-Filtering and IDP, ALL in ONE BOX.

What say you?

there is the professional world of warcraft power leveling here. welcome.

We encourage users to analyze, comment on and even challenge washingtonpost.com's articles, blogs, reviews and multimedia features.

User reviews and comments that include profanity or personal attacks or other inappropriate comments or material will be removed from the site. Additionally, entries that are unsigned or contain "signatures" by someone other than the actual author will be removed. Finally, we will take steps to block users who violate any of our posting standards, terms of use or privacy policies or any other policies governing this site. Please review the full rules governing commentaries and discussions.