January 01, 2007 — CSO —
Attackers have raised their game markedly in the past three months, delivering salvos harder to
resist (and detect). Recent developments:
- Advanced phishing In the parry and thrust of phishing defenses and phishing attacks, one
particular e-mail, sent to bank employees, represented a bold move for the bad guys in its level of
social engineering sophistication: It pretended to be from a journalist researching a news story about a
data leak at that bank, and addressed the recipient by first name.
"Dear ____," the e-mail started. "I am a reporter for Finance News doing a follow-up story on the recent
leak of customer records from [the bank's name]. I saw your name come up in the article from Central
News and would like to interview you for a follow-up piece."
The e-mail then provided what appeared to be a link to the "Central News" story—a URL that
included the bank's name in its characters. The message ended, "If you have time I would appreciate an
opportunity to further discuss the details of the above article. Regards, Gordon Reily."
At one bank, hundreds of employees received the e-mail. The CSO at that bank (he would speak only
on the condition of anonymity) eventually determined that clicking on the link connected to a website in
China and installed a keylogger on the machine that accessed the link. Such a targeted attack would
seek to have a bank employee with data access unwittingly log passwords and account information,
which the bot would deliver to the attacker.
The e-mail was sophisticated; its grammar was impeccable, and it addressed recipients by name (which
means the attacker had access to the bank's e-mail rolls and could avoid blasting the e-mail and
getting caught in spam filters). The guise of a journalist following a story was reasonable. And the e-
mail suggested that the recipient was cited in a previous story, which would pique the person's interest.
- IM as distribution network Chris Boyd, director of malware research at FaceTime
Communications, came across a botnet in development that enabled an attacker to insert a link into an
IM conversation that, when clicked, installed a bot on that computer. It appeared that the compromised
computer then would become part of a spam distribution botnet. But after analyzing the "ridiculously
complex and bizarre" code, Boyd believes that the attackers were still developing the botnet's
capabilities to go far beyond that.
Mastering the use of IM as a malware distribution engine concerns Boyd and others, because once
attackers can insert their links, it's hard to stop them. For example, even if the IM network blocks
Understanding malware techniques and the ever-more sophisticated cybercrime ecosystem
Advanced evasion techniques emerge
Organized cybercrime revealed
Inside the global hacker service economy
Anatomy of a DDoS extortion attack
The rise of anti-forensics
The botnet hunters
Timeline: a decade of malware
- FireEye Advanced Threat Protection KnowledgeVault
- Solving Cloud Complexity with Service Brokers with Cloud Security Alliance & NIST
- The CISO's Survival Guide to Securing Data
- Data Privacy and Protection in Production Environments: New Research from Ponemon Institute
- Five Tips to Consider in a Data Security Strategy for Smartphones and Tablets
- Moving Your Email to the Trusted Cloud
- Is the title 'security evangelist' really that bad?
I've been watching the recent discussion over the idea of security evangelists with interest, but held off on weighing in because I didn't want to come off as a bandwagon chaser. Now that the dust has settled a bit, it's time for me to opine. Let's review first. - Teenage hackers could be our last, best hope
- Busted: When security tools fail
More Salted Hash with Bill Brenner
