The rise of targeted malware

Share this article:
The rise of targeted malware
The rise of targeted malware
Earlier this year, customers of Hannaford Bros. grocery stores in New England learned that more that four million of their credit and debit card numbers had been stolen by cyber criminals.

At first glance, this data breach looked all too common. After all, plenty of other companies – from Pfizer to Monster.com to TJX – have weathered similar attacks recently.

But when you dig deeper into the details of this attack, a disturbing trend emerges: Hannaford Bros. was the victim of targeted malware. Unlike most data breaches, which are opportunistic crimes triggered by things like stolen laptops or poorly secured databases, this instance involved malware written specifically to steal information from Hannaford Bros.

Criminals secretly infected servers at every grocery store with software that intercepted card data at checkout. The information was then sent overseas.

If you think this is an isolated incident, think again. Recently, a new phishing attack has been circulating that targets not a company but a specific type of person: the corporate CEO. The CEO subpoena phishing attack looks like a valid legal document, but if CEOs fall for it, they put their company at risk.

Then there is Trojan.Silentbanker, malware that targets the online banking accounts of approximately 400 banks. This is an especially troubling type of malware, since users believe they are secure during the banking session, having logged into their accounts using various forms of two-factor authentication.

This man-in-the-middle attack, which infects users through corrupted websites, re-routes the victim's account to the attacker's site. Since users have no idea that their banking session has been compromised, seeing the same screens they would during an uncompromised session, Trojan.Silentbanker is able to intercept user names, passwords, and other forms of authentication, such as security questions.

Research firms have been saying for quite some time that the antivirus/perimeter approach to security is dead, and targeted attacks could very well be the final nail in the AV coffin.

Traditional security works best when hackers employ the “spray-and-pray” approach. When hackers write far-reaching malware that targets anyone and everyone, traditional security is able to counter these attacks through signatures. With a broad internet presence, traditional AV companies collect as many instances of these types of attacks as they can, gauge their severity, study them and create signatures to stop them.

That method falls flat when it comes to targeted attacks. Since they target small groups of users, many of these attacks evade the early-warning systems that AV vendors rely on.

Next, since they infect so few users, the risk isn't deemed terribly severe, since AV vendors typically rely on infection rates rather than the severity of the attack. Finally, since they don't believe other users will be infected, AV vendors don't devote the resources to studying and developing signatures for targeted malware.

Three steps outlined below will help you stave off this new class of malware.

1) Evaluate your security posture – and re-evaluate it on an ongoing basis. Targeted malware is more powerful and well-engineered than typical malware. Unfortunately, most targeted malware attacks bypass perimeter defenses, so we must search for anomalies. Review IPS logs and look for any weird activities; review HTTP proxy logs and try to identify any potentially malicious requests for .exe's and such; and if everything is behind HTTPS, review the logs by checking the sites manually.

2) Rethink your approach security.  It's better to define what is good and acceptable and disallow anything beyond that. Protect yourself by employing security that blocks behaviors rather than specific, known malware variations.

3) Find a way to correlate all your security layers and their many alarms and logs. Knowledge is power, but too often it is buried deep in logs and drowned out by false alarms. With centralized, integrated security management and a single point of visibility into your network, you won't be blindsided by a targeted attack.

 

 

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in Opinions

Beware of the malware walking dead

Beware of the malware walking dead

This Hallows Eve might be a good time to remind ourselves that zombies can be just as deadly, and I'm referring to recycled tools and techniques from years gone by.

Why the Home Depot attack shouldn't have happened

Why the Home Depot attack shouldn't have happened

Major retailers are falling prey to massive credit card information heists, despite spending millions on cyber security systems.

Next-generation malware: Think like the enemy and avoid the car alarm problem

Next-generation malware: Think like the enemy and avoid ...

When it comes to enterprise security, one rule remains constant - attacks will continue to increase in sophistication and attackers will seek to outmaneuver existing defenses.