Alert – Financial Processes Targeted

I normally avoid spreading word about specific attacks, as it is better for overall security to continuously strengthen your defenses and keep an eye out for strangeness.  Focusing on attack types and general security practice tends to have a better overall result then trying to play whack-a-mole and knock down individual people or pieces of malware.

That said, there is a current threat that people should know about, so I want to do my part to boost the signal.

At issue is a specific piece of malware that is targeting people with access rights to financial systems.  It generally arrives in the form of a targeted email (spear phishing) which then installs the malware.  Once installed, the malware monitors the computer for financial transactions and will then make some additional ones.

What’s different here is that small businesses are being singled out.  This is largely because they tend to have weaker security and audit controls when compared to the larger firms.  So, though the larger firms tend to have more money to steal, stealing a smaller amount from a great many other business can net just as much.  And after, a dollar is worth a dollar, no matter who it’s stolen from.

To protect against this attack, you have to keep one thing in mind — there is no guaranteed way to prevent it.  All you can do it do your best to protect yourself and check transfers regularly to make sure that you’ve not been hit.  In short, if your account people are not doing all of the below, your business is facing some serious risk:

  • Using a two-factor authentication system (RSA tokens are the most popular) to login to the banking system.
  • Using a dedicated workstation for financial transfers.  This system should not have any email client installed and be firewalled to only access the necessary web systems.
  • Enter into an agreement with your bank so that all transfers must be confirmed.  A verbal confirmation originating from the bank is best, as that way the attackers cannot initiate a transfer and then call the bank to confirm it.  If they cannot do that and you have to stay with them, look into email or SMS-based confirmation systems.
  • Using a bank-enforced 24-48 hour hold on transfers.
  • Check your accounts regularly and reconcile all transactions.

Check out the following links for more information:

I would like to thank Rob Lee for alerting many of us to this situation.

Small Business Defense – AntiPhishing

The core problem with phishing is that it is a very human attack.  It relies on people to, well, be people.  The emails are crafted to be interesting or scary, and right when the reader is at the peak of wanting to know more, they are presented with a link.  Once the link is clicked on, it’s game over… so the point of the game is to keep the link from being clicked.

It’s harder than it sounds.

One technique that would work well would be to completely block all HTML email.  Thus, no pictures, no links.  All email looks the same and all the HTML email coming in will look like utter gibberish.  Now, as much fun as we all had in 1995, I think that we can all agree that that approach would not work well these days.  So, what does?

Antispam

Many phishing attempts will trigger on good spam filters.  The important thing to note, though, is that phishing attempts in a spam folder are just as effective as ones that appear in the INBOX.  If you use this as a primary defense, it’s important to make sure that the anti-spam quarantine system traps the messages in such a way as to prevent such clicks from being active.  Google’s gmail and their add-on message security products work well for this.

Anticlick

If the emails get through, and let’s face it, no antispam solution is perfect, it can work well to prevent the click from occuring.  There are certain technologies that whitelist allowed links and render all others are unclickable.  You can also run local HIPS software that can prevent such clicks from downloading and running software.  If the HIPS software is good enough, it might even protect against overflows in the email client itself.  Again, however, these solutions aren’t perfect.

Employee Education

The absolute best way to keep employees from clicking on the link is to continuously tell them not to click on links. It’s not perfect, but making employees responsible for their actions is the best way to get results. Much as someone would not leave the front door open and unlocked, they should be aware of the ramifications to the business should they engage in unsafe practices on the Internet.

Of course, we all know that people will make mistakes, which is why it would be wise to use both antispam and anticlick technologies as well. The combination of all three work far better than any one alone.

Small Business Attack – Phishing

Odds are that your business has a relationship with key vendors.  Commonly, these include at least one bank and payroll processor.  Of course, were one of these accounts breached, things could get really bad. Really really bad. In fact, things could get bad enough that people might not be thinking clearly when they click on links.

That’s all an attacker needs. One brief moment of panic or excitement, one click of a link, and they’re in.

Attacks can come in many forms. All an attacker needs to know is a little bit of information about your company and be able to bypass a spam filter. Then, suddenly, your employees will start seeing emails with subject lines like:

  • “Problem processing your paycheck”
  • “Health insurance lapsed”
  • “[Payroll Company]: Bonus check available”
  • “[Your Company] being sued by [Big Company”

Once the employee opens the email, it may be all over, but odds are that your systems are somewhat secure.  This means that they’ll actually also have to click on a link.  Generally, this is done by naming the link one of the following:

  • “click here”
  • “more info”

At this point, the user generally clicks their mouse, the attack runs, and the attacker has access to all the files on the workstation.

But you should be OK.  After all, it’s not like your employees have access to proprietary or customer data… right?

Other Sites: Business, Photos/Conservation

Get the feed (RSS):



Josh More - Entropologist
Expert in removing chaos from
I.T. and business systems.