Security Blog

Your source for information security news and views.
Tags >> phishing

Forget about LulzSec and Anonymous. Those political hacktivist groups are only amateur script kiddies compared to hackers recently revealed by McAfee. The newly discovered groups five year long attack, which struck at least 72 identified organizations, seems to have originated out of China, although no official location has been determined.

Dubbed Operation Shady RAT, which stands for remote administration tools, employs spear phishing techniques which mimic legitimate email messages (just as many other phishing attacks do), then once users open attachments their systems become infected with malware allowing them to be controlled by a command-and-control server hosted by the hackers. Unlike other attacks we have seen, this hacking group doesn't seem to be out for laughs or a quick payout. It's data mining they are after, and lots of it.

The longevity of their attacks has led to the compromise of petabytes worth of data thus far. The damage and loss of proprietary information is far more valuable than anyone would have predicted, and until the attackers are shut down, it is only expected to get worse.

This attack brings to light a concept we have been throwing at IT security professionals for quite some time now. Anyone who has attended Ken Kousky's Strategy to Reality seminars has most definitely heard about Advanced Persistent Threats (APTs). This was the same attack approach used in the SCADA attacks on Iraq's nuclear facilities and in Operation Aurora against Google and a dozen or more organizations. For those that need a brush up on APT attacks think of them as interactive, polymorphic attacks with the ability of their controllers to evolve and adapt to any security system. You build a wall, they knock it down, you dig a moat, they swim across it. APT attacks represent an new revolution of unstoppable cyber attacks.

The only way to stop an APT attack is to cut it off at its driving source, the C&C server. McAfee is working with a variety of US government agencies to shut down the C&C server however the attackers 5 year head start along with jurisdictional issues is sure to make this quite the challenging task.

Another issue is many organizations failure to report or admit a compromise, thus making these attacks even more difficult to follow. Security professionals must keep in mind that despite your organizations reputation or pride, you have a duty to disclose attacks to the proper authority. These attacks cannot be ignored and cannot be fought alone.

Microsoft has even started a program offering a $250,000 incentive to anyone who contributes outstanding solutions to these attacks in defense of the future of computing technology.

If your wondering if your organization could be a target then just ask yourself one question. Does my information hold any value whatsoever? I'm guessing that for 95% of organizations this answer is yes.


Since when does innovation call for imitation of security? In todays world users demand portability. This involves designing devices and services to operate on much smaller platforms. Which means taking that 15 inch laptop from the office and crushing it down to a 4 inch pocket sized supercomputer, not only that but also taking those web browsers and applications and stripping them down to their minimal aspects to ensure lightweight, simple operation. In the process of stripping down these devices we are leaving out an important aspect, the security.

Although the convenience of having a pocket sized computer seems to trump most of our performance concerns we are actually giving up more than we can afford. Full sized devices offer us many integral features which we now take for granted. These features include security checks and warnings which are key to our safe networking.

For example, while using a standard full sized browser it is clear to see within the URL bar when a user is accessing a secure site. You are generally presented with the SSL security lock, or some other form of green light identifiers which assure you that the page you are currently accessing is encrypting your information and is safe. 

Our strive for mobile simplicity has led us to throw out these security checks and therefore opens the doors to spoofed websites which can potentially present us with false information and fake logins. There are only a handful of users with the knowledge to detect such websites on our mobile devices. We are making the prediction that phishing attacks relate to this type of mobile spoofing will become one of the most abundant threats in the upcoming years to mobile users.

Thankfully many mobile browsers now support SSL and https transmissions, however, that is only when the user chooses to use the securely protected website. Not many custom mobile sites have been designed to handle this type of security yet. Anyone who has accessed a full sized webpage on a mobile device knows how difficult it can be to read small text and press submit buttons. This makes custom built mobile sites the optimal choice for convenience but definitely not for security.

There is work being done to prevent mobile site spoofing. But until this type of security is optimized and becomes the new standard in the industry we will constantly be bombarded with fake login pages and spoofed sites.

On another note our mobile apps could also use a security overhaul. It is only a matter of time before cyber criminals begin implementing malicious app installations by fooling our mobile carriers into thinking their app is good then flipping a switch on a server and transforming the app into one that commits malicious tasks, said Kevin Mahaffey, chief technology officer and founder of mobile security software vendor Lookout.

Innovations in mobile computing and browsing should make no exceptions to the rules of security, no matter how convenient it may be for user performance. Users these days have it all wrong. For those of you demanding power and portability, take a step back and demand your security first!


Topics