Forensic Files Series
The Case of the Mistaken Malware
“I’ve found the best way to inspire better security
practices is to show examples of true security
blunders. Hopefully the...
Business Background
• Small retailer operates one main store, multiple
satellite stores, and two corporate offices
• All s...
How Hackers Got In
• Compromised the credentials for the remote
access application, LogMeIn
• Installed Sirefef, a sophist...
Forensic Investigator Findings
• Investigator finds the Sirefef rootkit did not
actually steal customer credit cards
• Fur...
What the Business Did Wrong
• Retailer didn‟t employ two-factor authentication* to secure
remote access into their main st...
About SecurityMetrics
We Protect Business
Services
PCI, HIPAA, & data
security solutions for
business of all size
Qualific...
Upcoming SlideShare
Loading in...5
×

The Case of the Mistaken Malware

748

Published on

In our line of work it’s quite common to be called in to investigate one piece of malware, and end up finding another. In this scenario, our forensic investigator was called in to investigate a piece of malware framed for stealing customer credit card data. While sifting through data, he found the real culprit. A memory scraper chameleon, capable of morphing into different versions to avoid anti-virus detection.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
748
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • HQ in Orem, UtahAssisted over 1 million businessesWe are 1 of 2 companies certified to provide all PCI DSS servicesData security and compliance solutions
  • The Case of the Mistaken Malware

    1. 1. Forensic Files Series The Case of the Mistaken Malware
    2. 2. “I’ve found the best way to inspire better security practices is to show examples of true security blunders. Hopefully the security failures I’ve seen while investigating compromised businesses will help you realize some actions you should take to ensure your own business’ security.” David Ellis Director of Forensic Investigations GCIH, QSA, PFI, CISSP{ } Forensic Files Series
    3. 3. Business Background • Small retailer operates one main store, multiple satellite stores, and two corporate offices • All sites connected to the same card processing environment • During a routine anti-virus log review, in-house IT staff member finds Sirefef rootkit* at satellite store *A rootkit is a type of malicious software activated each time a system boots up. They are difficult to detect because they reside at the system‟s kernel level, and are activated before a system‟s operating system has completely booted up.
    4. 4. How Hackers Got In • Compromised the credentials for the remote access application, LogMeIn • Installed Sirefef, a sophisticated rootkit that can spread spam or capture sensitive information such as passwords or credit card data • After customers confront retailer of credit card fraud, retailer hires forensic investigator
    5. 5. Forensic Investigator Findings • Investigator finds the Sirefef rootkit did not actually steal customer credit cards • Further investigation revealed a memory scraper* called Alina in RAM (installed by the same hacker), designed specifically to capture payment information from POS terminals *A memory scraper is designed to capture, or „scrape‟ sensitive information from system memory (RAM) and return it back to the attacker. The Alina memory scraper can morph into newer versions to avoid detection, or automatically reinstall in different locations if deleted.
    6. 6. What the Business Did Wrong • Retailer didn‟t employ two-factor authentication* to secure remote access into their main store, satellites, and corporate offices • Although they regularly reviewed anti-virus logs, IT staff did not regularly update anti-virus program and system security patches • The credit card processing environment was not segmented away from routine Internet traffic *Two factor authentication is an extra layer of security that requires not only a password and username but also something that only, and only, that user has on them, i.e. a piece of information only they should know or have immediately on hand—such as a physical token.
    7. 7. About SecurityMetrics We Protect Business Services PCI, HIPAA, & data security solutions for business of all size Qualifications Global provider of ASV, QSA, PFI, PA QSA, P2PE services Experience Assisted over 1 million organizations with compliance needs
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×