The Company that Did Everything Wrong, Part 2
The conclusion to last month's tale of a comical yet sad visit to a company that suffered a data breach
March 09, 2009 — CSO —
It was 1 a.m. and we had been working on our client's data breach for eight hours. Most of the team had been awake for 20-plus hours, and fatigue was starting to set in when Bob discovered something.
He realized that a piece of malware that was embedded in the phishing attack linked back to a website in Spain. "I did a little research and that site in Spain is a compromised host," Bob told me. "These attackers are very clever. They mirrored the normal landing site with one that they set up that contains their exploits."
"So instead of a visitor landing on the regular home page, they land on a compromised, hidden page?" Sam asked.
"Correct," Bob said. "This has the hallmarks of an extremely sophisticated attack."
Bob has a lot of credibility in my book, so when he talks about sophisticated attacks, I take notice.
"Why do you say sophisticated?" I asked.
"First, there's the malware package. Looks like its polymorphic, changes its digital signature at every execution. So creating a digital hash won't help us locate other infections," Bob said. "Of course I won't know for sure until we have a chance to send it to Dave for him to decompile, but I have a pretty good feeling that it is. Then there is the amount of research that had to go into crafting the phishing e-mail. It uses all the right buzz words, talks about a current project and even lists company employees who aren't listed on the company's website. Then there's the amount of effort they took to hide their site. Take a look at the homepage for this site." Bob turned his laptop around so everyone at the conference table could see the screen. "Here is the regular site: www.compromisedsite.com/index.html. But here is the link for the site that contains the exploit: www.compromisedsite.com/Ãndex.html. See the difference?"
"They look the same to me," said Sam.
"They did to me, too. For a long time. But here's the difference: The uncompromised site has a regular Times New Roman letter i in the name: index.html. The compromised landing page uses the special character an accented i."
It's tough to notice, and of course that's the point. Whoever compromised this site went to a lot of trouble to hide the fact from the Web owner, and even from fairly savvy computer users, Bob said.
"Did you have a chance to connect to the compromised site using one of our sand boxes?" I asked him.