Was this the e-mail that took down RSA?
A spear phishing e-mail that has surfaced in a security database looks like it may have been the one to hit RSA
IDG News Service - "I forward this file to you for review. Please open and view it."
As a ploy to get a hapless EMC recruiter to open up a booby trapped Excel spreadsheet, it may not be the most sophisticated piece of work. But researchers at F-Secure believe that it was enough to break into one of the most respected computer security companies on the planet, and a first step in a complex attack that ultimately threatened the security of major U.S. defense contractors including Lockheed Martin, L-3, and Northrop Grumman.
The e-mail was sent on March 3 and uploaded to VirusTotal a free service used to scan suspicious messages, on March 19, two days after RSA went public with the news that it had been hacked in one of the worst security breaches ever.
Researchers at F-Secure, the company that discovered the message Monday, believe that it was very likely the message that led to the RSA compromise. If true, the finding sheds light on the kind of trickery, called social engineering by security pros, it takes to break into a major security company.
F-Secure antimalware analyst Timo Hirvonen discovered the e-mail message buried in the millions of submissions stored in this crowd-sourced database of malicious or potentially malicious files. VirusTotal lets computer users upload a suspicious file, say an Excel spreadsheet that might be infected, and have it scanned by over 40 of the world's top antivirus companies. In return for the free scan, the AV vendors get to examine the files, making the service a great way of learning about malicious software after the fact.
Hirvonen had been searching VirusTotal's database for the RSA attack file ever since RSA acknowledged that it had been compromised. The hackers had sent two different phishing e-mails to small groups of company employees over a two day period, but nobody outside of RSA and its parent company EMC knew the full contents of those messages. It wasn't even clear if they were included in VirusTotal's data.
RSA has released some details about the attack, but Hirvonen's find is a first look at just what it took to get an EMC employee to open that dangerous attachment.
"The e-mail was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached Excel file," wrote RSA Head of New Technologies Uri Rivner in the April 1 blog posting that laid out most of what RSA has said publicly about the e-mail. "It was a spreadsheet titled "2011 Recruitment plan.xls."
Hirvonen didn't know for sure he'd find the e-mail in VirusTotal, but he thought that there was a chance that someone at RSA had uploaded to see what it was. Searching for the 2011 Recruitment Plan spreadsheet yielded nothing, however.
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Logicalis eBook: SAP HANA: The Need for Speed Without timely business insights, organizations today can suffer logistical, manufacturing, and even financial disaster in a matter of minutes
- Neustar 2014 DDoS Attacks and Impact Report For the third consecutive year, Neustar surveyed hundreds of companies on distributed denial of service (DDoS) attacks. The survey reveals evidence that the...
- Acxiom Case Study This case study, which focuses on Acxiom, explores how the company was able to secure employee data, reduce migration costs and boost productivity...
- Windows® XP Migration: Protect and Secure Critical Data With the end of the Microsoft Windows XP operating system's lifecycle on April 8, 2014, businesses are faced with the decision to migrate...
- Top 4 Digital Signage Fails Join RMG Networks for a look at four of the most common reasons digital signage fails in corporate businesses. Learn about strategies to...
- Building Tomorrow's Infrastructure Listen to this podcast to discover how Crider Foods worked with PC Connection to update their IT infrastructure, while maintaining compliance and control. All Cybercrime and Hacking White Papers | Webcasts