The Company that Did Everything Wrong, Part 2

The conclusion to last month's tale of a comical yet sad visit to a company that suffered a data breach

. What's this?

By

March 09, 2009CSO

It was 1 a.m. and we had been working on our client's data breach for eight hours. Most of the team had been awake for 20-plus hours, and fatigue was starting to set in when Bob discovered something.

He realized that a piece of malware that was embedded in the phishing attack linked back to a website in Spain. "I did a little research and that site in Spain is a compromised host," Bob told me. "These attackers are very clever. They mirrored the normal landing site with one that they set up that contains their exploits."

"So instead of a visitor landing on the regular home page, they land on a compromised, hidden page?" Sam asked.

"Correct," Bob said. "This has the hallmarks of an extremely sophisticated attack."

Bob has a lot of credibility in my book, so when he talks about sophisticated attacks, I take notice.

"Why do you say sophisticated?" I asked.

"First, there's the malware package. Looks like its polymorphic, changes its digital signature at every execution. So creating a digital hash won't help us locate other infections," Bob said. "Of course I won't know for sure until we have a chance to send it to Dave for him to decompile, but I have a pretty good feeling that it is. Then there is the amount of research that had to go into crafting the phishing e-mail. It uses all the right buzz words, talks about a current project and even lists company employees who aren't listed on the company's website. Then there's the amount of effort they took to hide their site. Take a look at the homepage for this site." Bob turned his laptop around so everyone at the conference table could see the screen. "Here is the regular site: www.compromisedsite.com/index.html. But here is the link for the site that contains the exploit: www.compromisedsite.com/índex.html. See the difference?"

"They look the same to me," said Sam.

"They did to me, too. For a long time. But here's the difference: The uncompromised site has a regular Times New Roman letter i in the name: index.html. The compromised landing page uses the special character an accented i."

It's tough to notice, and of course that's the point. Whoever compromised this site went to a lot of trouble to hide the fact from the Web owner, and even from fairly savvy computer users, Bob said.

"Did you have a chance to connect to the compromised site using one of our sand boxes?" I asked him.

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
RESOURCE CENTER