Phishing attempts, spear phishing attempts, keystroke loggers, password-stealing Trojans and other types of malware put corporate data and finances increasingly at risk. The target of malware is typically sensitive content like usernames and passwords, but it can also include login data for banking systems, customer data, trade secrets and other types of confidential information. The increasing end goals of stealing information (both personal and corporate), hijacking systems for a wide range of purposes and launching additional malicious attacks all have serious business implications, in addition to the more traditional impacts to storage, bandwidth, infrastructure and other costs.
Some examples of serious malware incursions during the recent past :
• In mid-February 2013, Apple Computer was the victim of a malware attack that was able to infect an undisclosed number of Macs within the company. The malware entered the company through a legitimate Web site focused on software development and exploited an unpatched bug in Java. Kaspersky Labs recently reported a massive increase in the average daily number of attempted visits to sites involved in Apple ID phishing attacks from 1,000 per day in 2011 to 200,000 per day between January 2012 and May 2013.
• In early February 2013, Twitter was hacked and information from 250,000 user accounts was exposed, most likely because of the Java exploit noted above.
• In July 2012, Neurocare, a medical equipment manufacturer, was attacked by malware that compromised the company’s credentials used to access a third party payroll processor. All Neurocare employees were negatively impacted by the attack.
• In June 2011, the International Monetary Fund (IMF) underwent a spear phishing attack that might have been perpetrated by a rogue state. Although employees were instructed not to open unknown attachments, not to open email from unknown senders or not to click on video links, malware in an email successfully bypassed IMF defenses and information was stolen from compromised computers.
• In April 2011, phishing attempts to many lower level employees at security firm RSA proved to be successful. These emails contained the subject line “2011Recruitment Plan” and had attached an Excel spreadsheet that contained a zeroday flaw aimed at vulnerability in Adobe Flash. Although the emails were sent to these users’ spam quarantines, the emails were opened from within the quarantine and a Trojan was installed that was able to harvest credentials from many employee accounts, compromising RSA’s SecurID tagsix. Hundreds of organizations have been attacked using the same command and control mechanism, including IBM, Google, Microsoft and about 20% of the Fortune 500.
• In April 2011, a spearphishing attempt directed against the Oak Ridge National Laboratory was able to steal several megabytes of data before IT administratorsstopped Internet access. The email sent to employees was supposedly from thelab’s HR department and included a malicious link. It was opened by 57 of the 530 employees who received it.
Malware can enter an organization through simple Web surfing if legitimate Web sites have been compromised.
For example, a popular Bulgarian Web site that sells watches had been compromised as of early 2013 and visitors were redirected to a Web site that infects visitors with SMS-based Trojansxii.
Common threat vectors include:
• Cross Site Request Forgery (CSRF) attacks will permit seemingly safe Web sites to generate requests to ifferent sites. CSRF attacks have exploited vulnerabilities in Twitter, enabling site owners to acquire the Twitter profiles of their visitors.
• Web 2.0 applications that leverage XML, XPath, JavaScript and JSON, Adobe Flash and other rich Internet applications are frequently vulnerable to injection attacks using these environments. These technologies are often used to evade anti-virus defences, motivating attackers to leverage them.
• Cross-component attacks can occur when two harmless pieces of malware code appear on the same Web page. Individually, they are harmless and difficult to detect. However, when they appear simultaneously on a single page, they can infect a user’s machine with malware.
• SQL injection attacks occur when SQL commands and meta-characters are inserted into input fields on a Web site, the goal of which is to execute back-end SQL code.
• Cross-site scripting attacks embed tags in URLs – when users click on these links, malicious Javascript code will be executed on their machines.
Email used to be the primary method for distributing malware from the early 2000s thoroughly 2009 before it was overtaken by the Web as the primary attack vector. However, email continues to be a key method for distributing spam through a variety of venues – desktop email, mobile phones using SMS/text messaging, etc. More recently however, email has been used for “blended threats” – spam messages that contain links to malware-laden sites. Blended threats are a more sophisticated form of attack because they require more security integration by combining traditional email and Web security capabilities.
While many are now discounting spam as a serious threat vector because volumes are much lower today than they were in late 2010, spam continues to be a serious problem. This is because the typical spam message – often used to distribute malware – is potentially much more damaging. While spam itself is not inherently or directly “dangerous” from a security perspective, it wastes bandwidth, storage, and employee time, not to mention the cost of deploying systems to deal with identifying and eradicating spam from corporate networks.
Cybercrime and phishing attacks most commonly originate with an employee clicking a link to a website hosting malware, opening a file attached to an email that contains malware, or simply just giving up corporate information when asked via a phishing email or website. Such information can then be used as the basis for a sophisticated phishing attack or may be sufficient to get the scammer what they need. There is no silver bullet but these threats can be mitigated against by training the workforce to identify, prevent, and report such attacks in a timely manner. Spam wastes IT’s time, users’ time and drives up the overall cost of email and other IT-managed systems.