Hackers used nude photos of former French first lady Carla Bruni as bait to get dozens of G20 representatives to click on what turned out to be a Trojan-delivering email.
According to News.com.au, dozens of diplomats attending the 2011 sixth G20 summit in Cannes were snared.
The tempting message that masked the Trojan was sent to the finance ministers and central bank representatives that attend these summits.
All that was needed to get those high-value espionage targets to click were these nine words:
To see naked pictures of Carla Bruni click here
The nude photos were legitimate: Ms. Bruni, now using the name Carla Bruni-Sarkozy, is a pop singer and former supermodel who married the French President Nicolas Sarkozy in 2008. At the time of the phishing attack, she was France’s first lady.
While the victims eyeballed the nude photos, malware invisibly infected their computers, as well as replicating and forwarding copies of itself to others.
Somebody the Daily Telegraph calls “a government source in Paris” told the news venue that just about everybody who got the message fell for it:
Almost everybody who received the email took the bait.
The purpose, target, effect and origin of the attack are still apparently unknown and under investigation.
It’s worrying that such a low tech attack can still be effective, especially against those in the upper echelons of power. Sure, it can be hard for humans’ to block their most basic impulses but there is a long, sordid and well publicised history of attacks like this and there can be no excuses for G20 attendees being so foolish and unprepared.
We trust that Naked Security readers will be more careful where they click!
Image of Carla Bruni-Sarkozy By Remi Jouan via Wikimedia Commons
Heck…if it was that easy…
I am an exiled American Prince. My father has recently passed away and left a large sum of USD/EUR to me. I need your help as a fellow world leader to claim my riches and lead my country back to prosperity. Please email me your bank account number and any passwords required to access it to begin the transfer of funds.
Had a phishing email this week from ‘Honestly Barclays Security’…looks legit.
What worries me most is not that the recipients clicked the link, but the machines G20 attendees were using didn’t have adequate security software in place to stop the malware from installing!!
Sounds like something that should be forwarded on to the Sophos marketing department before the next G20 meeting 😉
It’s called “customer service”, Alan. The “customer” insists on using their own device, with all thier favourinte bloatware installed, flatly rejecting any advice from the security professionals on how to secure it as being “impractical, intrusive, or inappropriate”. As they are “the customer”, they are, by definition, right… Excellent customer service is all about saying “yes” to whatever the customer wants, regardless… :-/
I’m afraid I’d have to disagree with this point. Regardless of how ‘intrusive’ or superfluous anybody finds security software, there should be no option whatsoever about not having it running. If I were to find out that mangers at my bank for example were using insecure laptops because they felt security software got in the way of them ogling naked pictures I’d be rapidly switching accounts to another one! I’m really not happy about any form of UK government machines not having proper security software either.
Customer service is still possible while complying with the law (I’m sure there must be some law about G20 attendees having secure laptops? I work for a public sector organisation, and we still manage to be polite and helpful to our users while insisting that security software (Sophos in our case!) is installed).
I’m aware there will always be people who feel such software isn’t required, but company policy should ensure this does not happen. Fortunately in my case refusal by management to enforce such a policy would be illegal.
Alan, if you ever have that argument with the CEO of your company, you just might be looking for a job – or an exceptionally good CEO might promote you for standing up for proper security. But these weren’t CEO’s, they were cabinet-level politicians. No peon like you is ever going to tell them anything. Their prime minister or president might require them to listen to security, but good luck getting such a person to listen to your concerns _before_ there’s an embarassing incident.
Presumably The Guardian is waiting for the NSA to say “It wasn’t us” before releasing the papers proving it was.
Another silly concern like the one about celebrities “revealed.” Carla Bruni was not exactly shy when she was younger. So what?