Jul

6

Malware Attack Targets Defense Exporters

Posted by at 8:52 pm on July 6, 2010
Category: General

Trojan HorseA multi-step attack targeting defense exporters was recently reported on Symantec’s security blog. This ploy first invaded one defense contractor’s network where it set up a directory on the system for fake press releases. The invaded network was then used to send emails from that network to employees of a second defense contractor. Those emails reported (falsely) that the CEO of the second defense contractor had been arrested for violations of the Export Administration Act and contained a link back to the fake press release directory on the first contractor’s website. Clicking that link would deliver the payload to the user’s computer.

Often these malware attacks originate outside the United States from people whose proficiency in English grammar and spelling is on the severely limited side, thereby providing the first clue that something is amiss. (If cybervillains could speak decent English, after all, they could probably get real jobs.)

The email with the payload link read as follows:

According to an official spokesperson of FBI, [name deleted], the CEO of [name deleted] had been detained for further investigation. The US government is accusing [name deleted] of vialating [sic] Export Administration Act. It is said that during 2001 and 2008 [name deleted] had been involved in several illegal technique exportation to Iran and North Korea. Click here for further information. [Link deleted.]

The missing “the” in front of “FBI” and “Export Administration Act” makes it sound like it was written by Natasha from Rocky and Bullwinkle and suggests a Slavic country as the origin. Read the email aloud in your best Natasha accent imitation and see if you don’t agree. My vote is for someone in Ukrussia as the culprit. (A friend of mine in the anti-malware business says that people in Ukraine and Russia are responsible for an alarmingly high number of malware attacks and has coined “Ukrussia” as a shorthand name for the two countries).

The lesson to be learned here is to think before you click. Look at an email, even from what appears to be a trusted source, with care for telltale signs that it was cooked up in Ukrussia and not in Rosslyn, Virginia. If you think that your competitor’s CEO may be headed for the hoosegow, try a Google News search rather than clicking an email link. And don’t forget that the recent large-scale invasion of defense networks by Chinese hackers relied on getting defense company employees to click on links in emails from people that they had met on Facebook and other social networks.

[Thanks to a reader for emailing a link to the Symantec article.]

Permalink

Bookmark and Share

Copyright © 2010 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

2 Comments:

Is there a real difference between Ukrussia and Rosslyn, Occupied Virginia.

Comment by Hillbilly on July 7th, 2010 @ 2:37 am

But first we get moose & squirrel!

Comment by Peter Almen on July 7th, 2010 @ 1:36 pm