Just about every week, a large company finds itself in the embarrassing position of admitting that it has been hit by a targeted attack, and databases – perhaps containing customers’ personal identifiable information – has been breached.
It’s a crisis – not just for the innocent users who have had their details exposed, but also for the corporation’s PR department which goes into overdrive in an attempt to manage the fall-out.
Often you’ll see a statement from the chief executive, wringing their hands, and desperately explaining in a serious tone that the company has been the victim of a “highly sophisticated” targeted attack.
It’s always a highly sophisticated attack. No corporation likes to admit that it has been stung by a bog-standard technique used by online criminals hundreds of times in the past. After all, that would suggest that they were caught napping.
Sometimes the targeted company will go further offering the explanation that the attack was an APT, or Advanced Persistent Threat.
What does APT really mean though? Here’s the cynical answer:
- Advanced: “smarter than us”
- Persistent: “successful”
- Threat: “risk we accepted”
This meme of highly sophisticated hacking attacks came to my mind again today, when I read about the latest cybercriminal operation dubbed “Operation Arid Viper”.
According to security researchers, high-profile targets in Israel were allegedly attacked by hackers seeking possible revenge for airstrikes on Gaza last year.
Israeli government offices, infrastructure providers, military organizations and the like were allegedly targeted by the Operation Arid Viper hackers who managed to plant malware on computers and steal information and spy on activity.
And how did the malware manage to infect what should have been well-defended computers?
Well, according to the research, the hackers used the simplest trick in the book. They sent simple emails with a compressed .RAR file attachment.
The emails a Windows .SCR screensaver file, which in turn dropped a short pornographic video onto the hard drive in the form of a .FLV or .MPG file. This, of course, was all a smokescreen for the real purpose of the email – to drop malware onto the PC and communicate with remote hackers.
The computer was now under the control of a third-party.
This wasn’t really a technological failing, it was a human one.
If an unsolicited email offers the promise of a pornographic movie, there are people who are going to click on it. Yes, even at Israeli government research facilities.
This isn’t a new technique. It’s as old as the hills. Welcome to 1998.
Targeted attacks target the dummies in your organisation. Make sure that you and your colleagues aren’t some of them.
