Info Thieves Take Aim at the EnterpriseBy Matt Hines | Posted 2007-01-11 Email Print
Researchers are finding an increasing number of malware programs that appear to be designed specifically to steal valuable data from business users.
Among the long list of bills reintroduced with the opening of the U.S. Congress on Jan. 5 were two filed by Sen. Dianne Feinstein, D-Calif., aimed at forcing companies to better protect consumer information and publicly report any potential mishandlings.
However, according to a range of IT security researchers, businesses should be just as afraid of having their own valuable data stolen by hackers as they should be scared of losing customer records, because it appears malware writers are aggressively ramping up their efforts to create attacks meant to target corporate information.
While few virus examples have been publicly identified that exhibit this growing focus on stealing valuable business data, versus the many that have been unearthed that target consumers' personally identifiable information, analysts say there is plenty of evidence that the trend is picking up momentum.
"There's no doubt that this type of activity is becoming more popular; we've seen a lot more samples and kits, and real code, that is clearly designed to do things like grab files from local systems, to look for specific types of files used in business operations, and the valuable information in those files," said Dan Hubbard, vice president of security research at malware filtering specialists Websense, San Diego.
Hubbard said that in addition to viruses designed to find business documents such as spreadsheets and manufacturing templates, Websense has also seen attacks aimed at companies in specific vertical markets, most notably the aerospace industry. Unlike many of the attacks designed to dupe consumers into handing over their personal details, a high proportion of the enterprise info theft programs display a level of complexity that belies deep professionalism on the part of those writing the threats.
"A lot of the code we're seeing is very sophisticated; some use encryption to hide the stolen data as it is being sent out of the corporate network, others clearly target specific types of workers who have access to valuable data, such as product designers, and others are using unknown zero-day flaws in popular software programs to find a way in the door," said Hubbard.
Researchers at anti-virus specialist McAfee, in Santa Clara, Calif., said they recently observed a zero-day attack aimed at three specific users within one company. The level of granularity displayed in such an attack is something that may become the norm in the near future, said Dave Marcus, security research and communications manager for McAfee Avert Labs.
"There have been attacks aimed at businesses as long as there has been malware, but this was a precision surgical strike that was very professional and well-orchestrated," said Marcus. "It's hard to say if these types of attacks are growing in volume, but they are certainly growing in terms of sophistication.
Other security researchers said they have seen similar patterns emerging. While there is no indication that hackers are shifting their focus away from programs that target consumers, as the volume of those threats continues to grow, attacks that attempt to steal corporate passwords, such as the Infostealer.Ldpinch virus, first discovered in late 2003, are becoming a regular occurrence, versus being a flash in the pan, said Ron O'Brien, senior security analyst with anti-virus vendor Sophos, in Burlington, Mass.
In addition to password theft attempts, researchers are predicting that hackers are aiming their sites at enterprises' VOIP (voice over IP) systems to listen in on private conversations, and creating attacks that look for sensitive information passing through instant messaging applications, and even corporate data stored on more powerful mobile devices such as smart phones.
"We're still seeing these in fairly low volumes, but value of hacking your way into a corporate PC will ultimately be much higher to malware writers, as they can almost assuredly remove sensitive information that is worth something to the business, or an outsider," said O'Brien. "I believe we'll see a lot more of these attacks that try to get onto corporate networks and phone home valuable business data."
In addition to stealing information, there are several different types of ransomware attacks that are emerging against businesses that seek to access and obscure information that is of value. The programs, which most often operate as virtual extortion schemes, sometimes encrypt sensitive information and threaten to keep it locked down until the hacker involved gets a payoff.
Ransomware artists have also begun playing on fears of non-compliance with consumer information handling laws, threatening to expose companies to the types of laws proposed by Feinstein and other members of Congress by forcing them to report breaches to customers, and in the press.
"Extortion is age-old stuff, but it's becoming more dangerous in the sense that the ransomware is becoming far more complex," said Shane Coursen, senior tech consultant with Kaspersky, in Woburn, Mass. "In addition to being capable of finding more valuable data to corrupt, we're seeing more sophisticated encryption that hides the data, and attempts to collect the ransom payments that try to keep the attackers better protected from law enforcement."