Intranet Blog :: Main Page

Social media and intranet case studies, best practices, & evolution by Toby Ward.

Month Archive

September 2007
August 2007
July 2007
June 2007
May 2007

Web Development & Design Blogs - Blog Top Sites

Main Page

« July 24 | July 26 »

Wednesday, July 25

Targeted attack yields intranet and website passwords, says report

by Toby Ward on Wed 25 Jul 2007 10:35 PM PDT

Mysterious, unidentified sources are behind some very targeted attacks of employees of the U.S. government, some defense contractors and other companies in the transportation industry.

According to a report in the Washington Post, Government, contractors hit in targeted attack, the attack was intended to yield “password information for hundreds of Internet and intranet” sites – namely some very specific sites relating to U.S. defense and transportation (both private and public sector). Experts are not ruling out a terrorist connection:

“The malicious code behind the attacks was first detected by computer intrusion prevention vendor Prevx Ltd. on July 5. In total, the criminals were able to cull 200M bytes information from about 500 computers, including password and login data, Prevx said.

All but one of the computers was located in the U.S., and many of the computers that were infected were associated with air transportation, according to Mel Morris, CEO of Prevx. "This was a well-coordinated attack by someone wanting to get information on the related sites."

PCs at the U.S. Department of Transportation (DOT), American Airlines Inc. and DOT contractor Booz Allen Hamilton Inc. all were compromised, Morris said.

If DOT systems were compromised, the department is unaware of the situation. "We haven't found any record of a problem," a DOT spokeswoman said Tuesday.

Prevx obtained a sample of the Trojan used in the attacks on Friday of last week. By Saturday, they had tracked down a Web site, hosted by Yahoo Inc. in Sunnyvale, California, where information from the compromised PCs was dropped. Because Prevx found a "massive amount" of job applications on the Web site used by the criminals, the company believes that victims may have downloaded the malicious software while thinking they were applying for a job.

That Web site, which had probably been hacked by the criminals behind the scam, was shut down on Tuesday, Morris said. It hosted about 200M bytes of password information, and log-files on the server showed the Internet Protocol (IP) addresses of the infected PCs.

Victims of the Trojan, calledWin32.PSWSteal.Gen, are told that their hard drive has been encrypted and that they will need to pay US$300 to for a decryption tool.

Morris believes this extortion threat is actually a ruse designed to conceal the attacker's true motivation: data gathering. "We think the ransomware is to point anyone investigating this down the wrong alley," he said.

Morris said he is troubled that such a high percentage of the infected PCs are related to the transportation sector, which has been the target of terrorist attacks."

The key lesson: do not open attachments or links to unknown websites from unsolicited email purporting job opportunities.

Read the complete article: Government, contractors hit in targeted attack.

Digg this Post to del.icio.us Post to Slashdot

Add to Technorati Faves

Technorati Profile

Leave Comment | Permanent Link | Cosmos

Home

Syndicate

follow me on Twitter

Twitter Updates