Thursday, July 1, 2010

Symantec: Multi-Step Targeted Attack

Via MessageLabs Intelligence Blog -

This sophisticated attack was recently intercepted by MessageLabs Intelligence. One particularly interesting feature was the degree of preparation undertaken by the attacker, and the fact that it involved two separate defense contractors.

The first step in the attack was for the attacker to gain unauthorised access to the web site of Defense Contractor A and to create a fake 'press release' directory. Into this newly created directory, the attacker uploaded a landing page, a page of obfuscated Javascript containing an exploit and a malicious binary.

The second step was for the attacker to research Defense Contractor B and identify email addresses within that organisation. To these addresses the attacker sent a series of emails purporting to be from a webmail address reporting the arrest of Defense Contractor B's CEO for violating US export regulations. These emails contained a link to the malicious landing page within that fake press release directory hosted on Contractor A's genuine website.

No comments:

Post a Comment