Espionage Via Spoofed White House eCard

Espionage malware came packed in a happy holiday eCard that spoofed, tricking government and contractor cybersecurity experts and stealing over 2 gigs of data.

When many people were caught up in the warm fuzzy feeling of peace on earth and goodwill toward man, it may have felt rewarding to receive a Christmas eCard from The White House. The bad news is that the spoofed seasons greetings contained malware aimed at espionage and sucked up several gigabytes of sensitive government documents. Some of the victims worked on cybersecurity as government employees and contractors.

It is currently unknown how many people received the following message on Dec. 23:

"As you and your families gather to celebrate the holidays, we wanted to take a moment to send you our greetings. Be sure that we're profoundly grateful for your dedication to duty and wish you inspiration and success in fulfillment of our core mission."

Regarding this Zeus banking Trojan variant, security blogger Mila Parkour wrote, it "appears to be designed for stealing documents as opposed to stealing passwords and banking information. This places this particular trojan in the category of malware designed for data theft and political/corporate espionage."

Any recipient who clicked on the links and opened the file were then infected with a Zeus Trojan variant that snatched documents and passwords and then uploaded the stolen data to a server in Belarus.

Security expert Brian Krebs wrote in "White House eCard Dupes Dot-Gov Geeks" that he "analyzed the documents taken in that attack, which hoovered up more than 2 gigabytes of PDFs, Microsoft Word and Excel documents from dozens of victims."

Krebs identified some of the victims who fell for the scam e-mail as employees for various governments. These three stood out the most to me:

-An intelligence analyst in Massachusetts State Police gave up dozens of documents that appear to be records of court-ordered cell phone intercepts. Several documents included in the cache indicate the victim may have recently received top-secret clearance. Among this person's cache of documents is a Department of Homeland Security tip sheet called "Safeguarding National Security Information."

-An employee at the National Science Foundation's Office of Cyber Infrastructure. The documents collected from this victim include hundreds of NSF grant applications for new technologies and scientific approaches.

Financial Action Task Force, an intergovernmental body dedicated to the development and promotion of national and international policies to combat money laundering and terrorist financing.

It is believed by Alex Cox, research analyst at security firm NetWitness, that this government spear phishing attack involves the same guy behind the "Hilary Kneber" Zeus botnet from last year that infected "some 75,000 PCs on a wide range of government and private sector networks." Krebs reports that Cox said, "It's either the same guy, or someone is using this guy's exact same technique."

For now, this Merry Christmas eCard attack is thought to be for espionage purposes and that may very well prove true. This goes to show that anyone, regardless of expertise, can fall for a scam. Over 2 gigs were stolen and the damage is done, but will any policies or information be changed now that they are compromised?

What if, later on, any of this "secret" information were to be published by someone such as WikiLeaks? Is a breach only truly considered serious if that information were to be made public? Case in point is Bank of America which may be the a major American bank that Julian Assange intends to "take down" and reveal an "ecosystem of corruption."

As Bank of America's share price falls, The New York Times reported on the bank's counterespionage work as it gears up for possible published data. A team of 15 to 20 Bank of America top officials are investigating, "scouring thousands of documents in the event that they become public, reviewing every case where a computer has gone missing and hunting for any sign that its systems might have been compromised."

From a security and privacy perspective, it seems like missing computers should have been very important at the time . . . not just if that information might be made public by WikiLeaks. Perhaps computers gone missing were important at the time, but now Bank of America has consulted with top attorneys in case legal problems spring up after a public disclosure, "including the bank's potential liability if private information was disclosed about clients."

If the possibility of espionage was not enough, is a breach considered red-alert important only if the stolen information becomes public knowledge?

Like this? Check out these other posts:

Follow me on Twitter @PrivacyFanatic

Copyright © 2011 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.