Radware Discovers New Malware – Spread by email

Radware announced that its researchers have discovered new malware.  The malware is spread as a malicious email attachment.  When the email recipient opens the email attachment, a keylogger is installed that collects passwords, credit card data and other sensitive information.

Showing the continuing cat and mouse game in which bad guys discover new forms of attack to evade security measures,

The Admin.HLP Trojan is hidden within a standard windows help file named Amministrazione.hlp and it is attached to emails. This standard help file does not activate any installed anti-virus programs, and therefore it goes under the radar of standard anti-virus solutions. Once the victim opens the Windows help file, the Admin.HLP Trojan installs itself on the victim’s computer where it starts to collect keystrokes. The Trojan periodically sends the stored keystrokes to the attackers’ remote server.

To remain a persistent Trojan threat, Admin.HLP creates a startup file in Windows, guaranteeing that the Trojan is invoked after every restart of the computer.

Radware is providing its customers with a fix that blocks communications between this malware and its remote servers.

What information has been compromised before the installation of the specially developed Radware blocking software?

It is possible to break the cycle of new malware → detection → remediation → new malware by preventing the installation of email spread malware.  The way to break the cycle is to provide employees with a tool that will help them make better decisions when processing their emails.  That tool is SP Guard from Iconix.  Spearphishers deceive by masquerading as trusted senders.  SP  Guard from Iconix provides the ability to distinguish real email from spearphishing attacks.  Click here to learn more.  You can contact us at 408-727-6342, ext 3 or use our online form.

US Airport Cyberattack — Spearphishing Plays Its Part

Trusteer discovered that the internal network of an unidentified US airport has been compromised.

The airport uses a common remote access method -VPN – to allow remote access to its network.  In the current case, the attackers used screen capture software to steal user login in data.  Computerworld reported the details of how the login credentials were stolen:

[T]he attack involved an innovative mixture of standard VPN login grabbing using the Citadel Trojan followed by screen scraping to discover the one-time password (OTP) presented by the gateway authentication system.

The OTP presented was in the form of an on-screen CAPTCHA using 10 digits embedded in an image, hence the need to grab it as a bitmap rather than by intercepting keyboard presses.

Using the stolen login credentials, the attackers have the same network privileges as the person whose credentials were stolen.  With the employee’s credentials in hand, the hackers would have unlimited access to the airport computer system’s software to the extent the worker’s account would allow. George Tubin, a senior security strategist for Trusteer, quoted in  Bloomberg Businessweek, said,

This was potentially very dangerous, but we don’t know whether the attacker group was targeting the financial system of the airport for economic gain or if the attack was terrorism-related. They could have been trying to access critical infrastructure—possibly air-traffic control systems and even the air-conditioning ducts on planes. Or they might have been looking at the hiring process, to see if they could get someone in there to work as an employee.

In order to steal the login data, the attacker first needed to install the malware on the victim’s computer.  How was this done?  Although it is unclear how the victims were initially infected, Oren Kedem of Trusteer speculated in eWeek that it could be through spear-phishing attacks or drive-by downloads.

Spearphishers deceive by masquerading as trusted senders.  SP  Guard from Iconix provides the ability to distinguish real email from spearphishing attacks.  Click here to learn more.  You can contact us at 408-727-6342, ext 3 or use our online form.

Olympics – Scammers Exploit the Games

The official website of the  London Olympics includes a “Stay Safe Online” page.  The page contains a link to a list of  hundreds of scams that use the Olympic Games as bait to trap the unwary.  The most common scams are fraudulent emails scams

where emails are sent falsely claiming to be from London 2012, or other organisations involved in the Games, but that are actually the first step in a fraud scam. They typically encourage the recipient to reveal information such as bank details or to part with money as an up-front payment in order to release a prize.

In order to help the public avoid fake Olympic websites, the official Olympics website offers a website validation tool.  Regrettably, at the time this posting is being written, that tool isn’t available.

A tool that is available is emailID from Iconix.  emailID marks real email from the London Olympics, making it easy to avoid fake Olympics emails.

Know Who.  No Doubt.  Use eMail ID.

Syria – The Cyberwar

One front in the civil war in Syria has gone unreported in the press — the cyber front.

Strategy Page is reporting that cyberspace has become part of the battlefield in Syria.  Strategy Page reports:

[I]t was recently discovered that someone was targeting pro-rebel websites and individuals outside of Syria. The attack came in the form of phony email addressed to a specific individual and made to appear it was from another rebel sympathizer or activist that the recipient knew. There was a file attached which, when opened, secretly installed monitoring software. Thus the infected computer could be secretly monitored by the Syrian government and files, email, and even all keyboard activity quietly copied.

This method of attack is known as “spearphishing.”  This cyberattack on Syrian rebels demonstrates the growing importance of spearphishing as a means of compromising the systems of adversaries.  Quoting Strategy Page:

In the past few years an increasing number of military, government, and contractor personnel have received these official looking emails, with a PDF document attached and asking for prompt attention. Despite being widely known, spear phishing still works and intelligence gathering organizations use it more and more.

Spearphishers deceive by masquerading as trusted senders.  SP  Guard from Iconix provides the ability to distinguish real email from spearphishing attacks.  Click here to learn more.  You can contact us at 408-727-6342, ext 3 or use our online form.