Application security, Incident Response, Malware, TDR, Vulnerability Management

The rise of targeted malware

Earlier this year, customers of Hannaford Bros. grocery stores in New England learned that more that four million of their credit and debit card numbers had been stolen by cyber criminals.

At first glance, this data breach looked all too common. After all, plenty of other companies – from Pfizer to to TJX – have weathered similar attacks recently.

But when you dig deeper into the details of this attack, a disturbing trend emerges: Hannaford Bros. was the victim of targeted malware. Unlike most data breaches, which are opportunistic crimes triggered by things like stolen laptops or poorly secured databases, this instance involved malware written specifically to steal information from Hannaford Bros.

Criminals secretly infected servers at every grocery store with software that intercepted card data at checkout. The information was then sent overseas.

If you think this is an isolated incident, think again. Recently, a new phishing attack has been circulating that targets not a company but a specific type of person: the corporate CEO. The CEO subpoena phishing attack looks like a valid legal document, but if CEOs fall for it, they put their company at risk.

Then there is Trojan.Silentbanker, malware that targets the online banking accounts of approximately 400 banks. This is an especially troubling type of malware, since users believe they are secure during the banking session, having logged into their accounts using various forms of two-factor authentication.

This man-in-the-middle attack, which infects users through corrupted websites, re-routes the victim's account to the attacker's site. Since users have no idea that their banking session has been compromised, seeing the same screens they would during an uncompromised session, Trojan.Silentbanker is able to intercept user names, passwords, and other forms of authentication, such as security questions.

Research firms have been saying for quite some time that the antivirus/perimeter approach to security is dead, and targeted attacks could very well be the final nail in the AV coffin.

Traditional security works best when hackers employ the “spray-and-pray” approach. When hackers write far-reaching malware that targets anyone and everyone, traditional security is able to counter these attacks through signatures. With a broad internet presence, traditional AV companies collect as many instances of these types of attacks as they can, gauge their severity, study them and create signatures to stop them.

That method falls flat when it comes to targeted attacks. Since they target small groups of users, many of these attacks evade the early-warning systems that AV vendors rely on.

Next, since they infect so few users, the risk isn't deemed terribly severe, since AV vendors typically rely on infection rates rather than the severity of the attack. Finally, since they don't believe other users will be infected, AV vendors don't devote the resources to studying and developing signatures for targeted malware.

Three steps outlined below will help you stave off this new class of malware.

1) Evaluate your security posture – and re-evaluate it on an ongoing basis. Targeted malware is more powerful and well-engineered than typical malware. Unfortunately, most targeted malware attacks bypass perimeter defenses, so we must search for anomalies. Review IPS logs and look for any weird activities; review HTTP proxy logs and try to identify any potentially malicious requests for .exe's and such; and if everything is behind HTTPS, review the logs by checking the sites manually.

2) Rethink your approach security.  It's better to define what is good and acceptable and disallow anything beyond that. Protect yourself by employing security that blocks behaviors rather than specific, known malware variations.

3) Find a way to correlate all your security layers and their many alarms and logs. Knowledge is power, but too often it is buried deep in logs and drowned out by false alarms. With centralized, integrated security management and a single point of visibility into your network, you won't be blindsided by a targeted attack.



Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.