The recent spear phishing attacks at RSA and Epsilon are providing a means for enterprise Web security firms to ply a mix of research and applied science as part of a soft sell of their technology that at the very least succeeds in giving a look into how these attacks can be so easily executed.
While both Trusteer and Strikeforce sell security technology and thus have skin in the data breach prevention game, their respective forays into Web crime scholarship do shine a light on the role of keylogging and social engineering as a growing threat to banks, insurers and financial services firms—creating a broader danger than consumer-targeted phishing attacks, given the breadth of network and data access a criminal can obtain by hijacking PCs on the inside.
StrikeForce, for example, found that the compromising of the SecureID token processes at RSA was likely the work of “keylogger” and “Spyware” hackers. Keystrokes are captured when hackers record or log keystroke data from a keyboard that has been infected with malware.
Users are duped by spearphishing (generally a massive enterprise-targeting phishing attack) into opening a fake email that loads a virus onto their computer. The malware can then monitor logins to gain access to data networks.
StrikeForce says the enhanced threat comes from the fact that the victimized RSA employees work in data protection, and thus would tend to have more advance knowledge of hacking threats—making more uninitiated employees at other institutions even easier marks. The increased dependence on emerging transaction venues such as mobile, online orders and social networking also create added exposure and points of soft access for crooks.
This easy access, in which internal staffers quickly open fake and poison emails, is also a troubling sign. Trusteer just finished a project in which it picked a group of 100 users—people that Trusteer’s staff knows personally and considered to be educated about financial security.
The firm used a LinkedIn update method to create fraudulent emails that are typically sent when a “connection” gets a new job.
The fake emails announced the “connection” worked at a rival company to the intended “victim” in the experiment, with the following button: “View [friend’s name]’s new title,” along with a photo of the friend. The website that Trusteer used was innocuous, but was a placeholder for a “malicious” experimental website that could actually be used to place malware on the victim’s computer in the case of a real crime. Trusteer says 41 subjects reached the faux malware landing page within 24 hours, 52 within 48 hours and 68 within a week.
“Social engineering is probably one of the most dangerous attacks for enterprises in general and financial institutions in particular, because most defenses are focused on the perimeters,” says Mickey Boodaie, CEO of Trusteer. “This type of attack comes from the back via the employees’ own devices, which are by definition less protected.”
This story has been reprinted with permission from
