• United States



Espionage Via Spoofed White House eCard

Jan 03, 20115 mins
BotnetsCybercrimeData and Information Security

Espionage malware came packed in a happy holiday eCard that spoofed, tricking government and contractor cybersecurity experts and stealing over 2 gigs of data.

When many people were caught up in the warm fuzzy feeling of peace on earth and goodwill toward man, it may have felt rewarding to receive a Christmas eCard from The White House. The bad news is that the spoofed seasons greetings contained malware aimed at espionage and sucked up several gigabytes of sensitive government documents. Some of the victims worked on cybersecurity as government employees and contractors.

It is currently unknown how many people received the following message on Dec. 23:

“As you and your families gather to celebrate the holidays, we wanted to take a moment to send you our greetings. Be sure that we’re profoundly grateful for your dedication to duty and wish you inspiration and success in fulfillment of our core mission.”

Regarding this Zeus banking Trojan variant, security blogger Mila Parkour wrote, it “appears to be designed for stealing documents as opposed to stealing passwords and banking information. This places this particular trojan in the category of malware designed for data theft and political/corporate espionage.”

Any recipient who clicked on the links and opened the file were then infected with a Zeus Trojan variant that snatched documents and passwords and then uploaded the stolen data to a server in Belarus.

Security expert Brian Krebs wrote in “White House eCard Dupes Dot-Gov Geeks” that he “analyzed the documents taken in that attack, which hoovered up more than 2 gigabytes of PDFs, Microsoft Word and Excel documents from dozens of victims.”

Krebs identified some of the victims who fell for the scam e-mail as employees for various governments. These three stood out the most to me:

-An intelligence analyst in Massachusetts State Police gave up dozens of documents that appear to be records of court-ordered cell phone intercepts. Several documents included in the cache indicate the victim may have recently received top-secret clearance. Among this person’s cache of documents is a Department of Homeland Security tip sheet called “Safeguarding National Security Information.”

-An employee at the National Science Foundation’s Office of Cyber Infrastructure. The documents collected from this victim include hundreds of NSF grant applications for new technologies and scientific approaches.

Financial Action Task Force, an intergovernmental body dedicated to the development and promotion of national and international policies to combat money laundering and terrorist financing.

It is believed by Alex Cox, research analyst at security firm NetWitness, that this government spear phishing attack involves the same guy behind the “Hilary Kneber” Zeus botnet from last year that infected “some 75,000 PCs on a wide range of government and private sector networks.” Krebs reports that Cox said, “It’s either the same guy, or someone is using this guy’s exact same technique.”

For now, this Merry Christmas eCard attack is thought to be for espionage purposes and that may very well prove true. This goes to show that anyone, regardless of expertise, can fall for a scam. Over 2 gigs were stolen and the damage is done, but will any policies or information be changed now that they are compromised?

What if, later on, any of this “secret” information were to be published by someone such as WikiLeaks? Is a breach only truly considered serious if that information were to be made public? Case in point is Bank of America which may be the a major American bank that Julian Assange intends to “take down” and reveal an “ecosystem of corruption.”

As Bank of America’s share price falls, The New York Times reported on the bank’s counterespionage work as it gears up for possible published data. A team of 15 to 20 Bank of America top officials are investigating, “scouring thousands of documents in the event that they become public, reviewing every case where a computer has gone missing and hunting for any sign that its systems might have been compromised.”

From a security and privacy perspective, it seems like missing computers should have been very important at the time . . . not just if that information might be made public by WikiLeaks. Perhaps computers gone missing were important at the time, but now Bank of America has consulted with top attorneys in case legal problems spring up after a public disclosure, “including the bank’s potential liability if private information was disclosed about clients.”

If the possibility of espionage was not enough, is a breach considered red-alert important only if the stolen information becomes public knowledge?

Like this? Check out these other posts:

  • All of today’s Microsoft news and blogs
  • FBI Spied and Lied, Misled Justice Department on Improper Surveillance of Peace Groups
  • EFF Warns of Untrustworthy SSL, Undetectable Surveillance
  • Traveler to TSA: If you touch my junk, I’ll have you arrested
  • TSA: Show Us Your Body Or We’ll Feel You Up
  • ACLU Report: Spying on Free Speech Nearly At Cold War Level
  • Feds Tracking Americans’ Credit Cards in Real-Time Without a Warrant
  • Police State of Wiretapping the Web: Who Do THEY Want to Watch?
  • DHS to Launch SAR Database. In Suspicion and Surveillance We Trust?
  • If Threatened With Arrest When Recording Video at TSA Checkpoints…

Follow me on Twitter @PrivacyFanatic

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.