Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Case of the Mistaken Malware


Published on

Published in: Technology, Business
  • Be the first to comment

The Case of the Mistaken Malware

  1. 1. © 2016 SecurityMetrics The Case of the Mistaken Malware Forensic Files Series
  2. 2. BUSINESS BACKGROUND All sites connected to the same card processing environment. Small retailer operates one main store, multiple satellite stores, and two corporate offices.
  3. 3. BUSINESS BACKGROUND During a routine anti-virus log review, in-house IT staff member finds Sirefef rootkit at satellite store.
  4. 4. WHAT IS A ROOTKIT? A rootkit is a type of malicious software activated each time a system boots up. They are difficult to detect because they reside at the system’s kernel level, and are activated before a system’s operating system has completely booted up.
  5. 5. HOW HACKERS GOT IN Compromised the credentials for the remote access application, LogMeIn. Installed Sirefef, a sophisticated rootkit that can spread spam or capture sensitive information such as passwords or credit card data.
  6. 6. FORENSIC INVESTIGATOR FINDINGS Investigator finds the Sirefef rootkit did not actually steal customer credit cards. Further investigation revealed a memory scraper called Alina (installed by the same hacker), designed specifically to capture payment information from POS terminals.
  7. 7. WHAT IS A MEMORY SCRAPER? A memory scraper is designed to capture, or ‘scrape’ sensitive information from system memory (RAM) and return it back to the attacker. The Alina memory scraper can morph into newer versions to avoid detection, or automatically reinstall in different locations if deleted.
  8. 8. WHAT THE BUSINESS DID WRONG Retailer didn’t employ two-factor authentication to secure remote access into their main store, satellites, and corporate offices.
  9. 9. WHAT’S TWO-FACTOR AUTHENTICATION? Two factor authentication is an extra layer of security that requires not only a password and username but also something only the user should know/have (e.g., a fingerprint).
  10. 10. WHAT THE BUSINESS DID WRONG Although they regularly reviewed anti-virus logs, IT staff did not regularly update anti-virus program and system security patches.
  11. 11. WHAT THE BUSINESS DID WRONG In addition, the credit card processing environment was not segmented away from routine Internet traffic. Internet Firewall Wireless Device Network Switch Terminal Office Computer Printer Mobile Hotspot
  12. 12. Wenlock Free VP Business Development