Thousands of executives received e-mails on Monday purporting to be federal court subpoenas but which appear to be part of a "phishing" scam to capture sensitive data.
The pseudo-subpoenas bear the seal of the U.S. District Court and docket numbers from real cases, though apparently closed ones, without party names. They command an appearance on May 7 before a grand jury in a particular room at the U.S. courthouse in San Diego.
They identify the originating e-mail address as "email@example.com" and contain a link with an instruction to "download the entire document on this matter ... and print it for you record."
Those who click on the link infect their own computers and those networked to them with a virus aimed at gathering passwords, account numbers, credit card numbers and similar information. Matt Richard, of VeriSign's iDefense Labs, a cybersecurity group, estimates that 1,800 recipients have clicked on the link.
The subpoenas indicate they were issued by "O'Mevely & Meyers," a fictitious entity with the same Los Angeles address as the real firm of O'Melveny & Myers. The name is close enough that O'Melveny has posted a notice on its Web site stating it is not the source of the subpoenas.
The Administrative Office of the U.S. Courts posted an alert on its Web site on Monday after receiving a large number of calls. Captioned "Notice: Invalid Subpoena," it says e-mails containing grand jury subpoenas "are not a valid communication from a federal court and may contain harmful links." It reminds that the judiciary's address ends in ".gov" and says law enforcement authorities have been notified.
Similar warnings have been posted by several district courts, including the Southern District of California (which includes San Diego), the Central District of California and the Southern District of West Virginia.
Scott Christie, of McCarter & English in Newark, says he learned of the scam Monday from the online forum of the American Bar Association's Information Security Committee. Another member described one of the subpoenas and asked whether anyone else had seen one like it and whether it seemed legitimate.
Based on a number of "blatant red flags," that went well beyond the misspelling of O'Melveny & Myers, the subpoena was clearly suspect, says Christie, a former Assistant U.S. Attorney who once headed up the New Jersey office's Computer Hacking and Intellectual Property Section.
Perhaps the most significant tip-off was that "federal courts will never send you a subpoena by e-mail," he says. A subpoena in a civil case comes from the other side's attorney and, in a criminal case, from the U.S. Attorney's Office and, if from the court, by registered or certified mail, says Christie.
In addition, people were being told to appear before a criminal grand jury in a civil case and that if they had any questions about a subpoena designated as federal, to ask the "City Prosecutor." There were also misspellings such as "thas," "offcers" and "wich."
Christie sent an advisory to all McCarter & English lawyers and heard back from those whose clients had contacted them after receiving similar missives. He says the subpoenas "were going to CEOs and upper levels of management of companies who were calling lawyers and saying 'what do I do?'" He says he saw about a dozen "subpoenas" received by firm clients, but to his knowledge, none of them clicked on the link.
The bogus subpoena blast appears to be a variant on "phishing," which uses legitimate-looking e-mails to lure people to sites that infect their computers or induce them to input credit card, bank account or other data, exposing them to financial loss.
The subpoenas were "spear-phishing," a more targeted version of phishing, where the scam is geared to a specific type of recipient, says Christie.
The CEOs and upper-management personnel at whom the e-mails were directed "would be more likely than most to be concerned about the receipt of a federal grand jury subpoena" and "be inclined, without speaking to anyone, to click on the link and suffer the consequences," says Christie.
Verisign has been keeping tabs on a group of cyberscammers responsible for similar phishing incidents, in which e-mails used to induce clicks appeared to be from the Internal Revenue Service and the Better Business Bureau.
Based on that experience, VeriSign was able to track the data obtained from the affected computers to a "drop site" located on a server in Singapore. VeriSign is working with law enforcement, Richard says, declining to be more specific.
Historically about 10 percent of those phished go for the bait, says Richard, leading him to estimate that 15,000 to 20,000 e-mails were sent.
Christie says lawyers should be warning their clients, and because unexpected future variants are likely, people should "review their e-mail messages carefully and if there are misspellings or other indicia of impropriety or fraud, immediately contact their attorney."