Corporate users hit with fake Microsoft email delivering sneaky malware

Discussion in 'malware problems & news' started by ronjor, Feb 10, 2015.

  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,728
    Location:
    Texas
    http://www.net-security.org/malware_news.php?id=2960
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Very interesting report, Ron, including the link in it to the Cisco Blog:

    Fake Volume License Trojan Targets Corporate Users and Evades Sandboxes
    http://blogs.cisco.com/security/fak...-targets-corporate-users-and-evades-sandboxes

    A few quotes:
    And a comment in the Cisco Blog:
    Actually, not. The infamous postcards.com exploit from 2006, nine years ago, used a similar trick. A description of the scam:
    As with the current exploit, in the postcards.com attack, the real site appeared on the user's monitor, while the malware was downloading in the background.

    So, nothing new here, except that while the former was a drive-by download that installed the malware executable, the current exploit requires another operation by the user -- extract the executable from a ZIP file:
    All of this highlights basic failings in corporate security:
    • The user is still the weakest and most vulnerable link
    • Employees are permitted to install executable files
    For the first, evidently there was no attempt to question the source of the email; the opening line is:
    Wouldn't the employee question that she/he had not applied for such license, or had not been told that such license was coming? Evidently there is no company-wide security policy in place, where offers by email to install anything are reported to Administrative Security. Evidently the user did not question why the license registration required running a screen saver file from a ZIP folder.

    For the second failing, as long as employees can install anything they want, these tricks will continue to succeed. If, however, the company's computers are locked down after configured by Administrative Support for the programs that employees need for the job, then nothing else can be installed except by Support. In such situations, updates to employee workstations are handled from an administrative console. An employee request for an additional program necessary for the job is checked out by Support, who then does the installation.

    This type of lock down is not popular, as was explained to me years ago in a discussion with Handlers at isc.edu: you would have a very unhappy workforce. Translation: employees like to use their work computer as their home computer and install anything they want.

    However, locking down computers works, as I have observed in a college where I worked years ago.

    ----
    rich
     
Loading...