Nude Carla Bruni pics masking Trojan lured G20 attendees to click

Filed Under: Celebrities, Featured, Hacked, Malware, Nude Celebrities, Phishing, Security threats

Image of Carla Bruni-Sarkozy courtesy of ShutterstockHackers used nude photos of former French first lady Carla Bruni as bait to get dozens of G20 representatives to click on what turned out to be a Trojan-delivering email.

According to, dozens of diplomats attending the 2011 sixth G20 summit in Cannes were snared.

The tempting message that masked the Trojan was sent to the finance ministers and central bank representatives that attend these summits.

All that was needed to get those high-value espionage targets to click were these nine words:

To see naked pictures of Carla Bruni click here

The nude photos were legitimate: Ms. Bruni, now using the name Carla Bruni-Sarkozy, is a pop singer and former supermodel who married the French President Nicolas Sarkozy in 2008. At the time of the phishing attack, she was France's first lady.

While the victims eyeballed the nude photos, malware invisibly infected their computers, as well as replicating and forwarding copies of itself to others.

Somebody the Daily Telegraph calls "a government source in Paris" told the news venue that just about everybody who got the message fell for it:

Almost everybody who received the email took the bait.

The purpose, target, effect and origin of the attack are still apparently unknown and under investigation.

It's worrying that such a low tech attack can still be effective, especially against those in the upper echelons of power. Sure, it can be hard for humans' to block their most basic impulses but there is a long, sordid and well publicised history of attacks like this and there can be no excuses for G20 attendees being so foolish and unprepared.

We trust that Naked Security readers will be more careful where they click!

Image of Carla Bruni-Sarkozy By Remi Jouan via Wikimedia Commons

, , , , , ,

You might like

8 Responses to Nude Carla Bruni pics masking Trojan lured G20 attendees to click

  1. ScottK · 662 days ago

    Heck...if it was that easy...
    I am an exiled American Prince. My father has recently passed away and left a large sum of USD/EUR to me. I need your help as a fellow world leader to claim my riches and lead my country back to prosperity. Please email me your bank account number and any passwords required to access it to begin the transfer of funds.

  2. Had a phishing email this week from 'Honestly Barclays Security'...looks legit.

  3. Alan · 662 days ago

    What worries me most is not that the recipients clicked the link, but the machines G20 attendees were using didn't have adequate security software in place to stop the malware from installing!!

    Sounds like something that should be forwarded on to the Sophos marketing department before the next G20 meeting ;-)

    • David · 662 days ago

      It's called "customer service", Alan. The "customer" insists on using their own device, with all thier favourinte bloatware installed, flatly rejecting any advice from the security professionals on how to secure it as being "impractical, intrusive, or inappropriate". As they are "the customer", they are, by definition, right... Excellent customer service is all about saying "yes" to whatever the customer wants, regardless... :-/

      • Alan · 662 days ago

        I'm afraid I'd have to disagree with this point. Regardless of how 'intrusive' or superfluous anybody finds security software, there should be no option whatsoever about not having it running. If I were to find out that mangers at my bank for example were using insecure laptops because they felt security software got in the way of them ogling naked pictures I'd be rapidly switching accounts to another one! I'm really not happy about any form of UK government machines not having proper security software either.

        Customer service is still possible while complying with the law (I'm sure there must be some law about G20 attendees having secure laptops? I work for a public sector organisation, and we still manage to be polite and helpful to our users while insisting that security software (Sophos in our case!) is installed).

        I'm aware there will always be people who feel such software isn't required, but company policy should ensure this does not happen. Fortunately in my case refusal by management to enforce such a policy would be illegal.

        • markm · 661 days ago

          Alan, if you ever have that argument with the CEO of your company, you just might be looking for a job - or an exceptionally good CEO might promote you for standing up for proper security. But these weren't CEO's, they were cabinet-level politicians. No peon like you is ever going to tell them anything. Their prime minister or president might require them to listen to security, but good luck getting such a person to listen to your concerns _before_ there's an embarassing incident.

  4. Stephen H · 662 days ago

    Presumably The Guardian is waiting for the NSA to say "It wasn't us" before releasing the papers proving it was.

  5. JHG · 399 days ago

    Another silly concern like the one about celebrities "revealed." Carla Bruni was not exactly shy when she was younger. So what?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.