Source: [id: 41018; name: CSO; isActive: true; siteId: 3] -- CSO -- $content.altguid

The Company that Did Everything Wrong, Part 2

The conclusion to last month's tale of a comical yet sad visit to a company that suffered a data breach

By

March 09, 2009CSO

It was 1 a.m. and we had been working on our client's data breach for eight hours. Most of the team had been awake for 20-plus hours, and fatigue was starting to set in when Bob discovered something.

He realized that a piece of malware that was embedded in the phishing attack linked back to a website in Spain. "I did a little research and that site in Spain is a compromised host," Bob told me. "These attackers are very clever. They mirrored the normal landing site with one that they set up that contains their exploits."

"So instead of a visitor landing on the regular home page, they land on a compromised, hidden page?" Sam asked.

"Correct," Bob said. "This has the hallmarks of an extremely sophisticated attack."

Bob has a lot of credibility in my book, so when he talks about sophisticated attacks, I take notice.

"Why do you say sophisticated?" I asked.

"First, there's the malware package. Looks like its polymorphic, changes its digital signature at every execution. So creating a digital hash won't help us locate other infections," Bob said. "Of course I won't know for sure until we have a chance to send it to Dave for him to decompile, but I have a pretty good feeling that it is. Then there is the amount of research that had to go into crafting the phishing e-mail. It uses all the right buzz words, talks about a current project and even lists company employees who aren't listed on the company's website. Then there's the amount of effort they took to hide their site. Take a look at the homepage for this site." Bob turned his laptop around so everyone at the conference table could see the screen. "Here is the regular site: www.compromisedsite.com/index.html. But here is the link for the site that contains the exploit: www.compromisedsite.com/índex.html. See the difference?"

"They look the same to me," said Sam.

"They did to me, too. For a long time. But here's the difference: The uncompromised site has a regular Times New Roman letter i in the name: index.html. The compromised landing page uses the special character an accented i."

It's tough to notice, and of course that's the point. Whoever compromised this site went to a lot of trouble to hide the fact from the Web owner, and even from fairly savvy computer users, Bob said.

"Did you have a chance to connect to the compromised site using one of our sand boxes?" I asked him.

RESOURCE CENTER