We use cookies and other similar technologies (Cookies) to enhance your experience and to provide you with relevant content and ads. By using our website, you are agreeing to the use of Cookies. You can change your settings at any time. Cookie Policy.

Twenty-Four Seven Security

Peter Schooff

Podcast with Cyberoam: The Monster.com Attack Marks a Frightening New Approach to Stealing Data

user-pic
Vote 0 Votes

Listen to or download the 8:43 min. podcast below:



Download file

What follows is a transcript of my discussion with Joshua Block, Vice President of North American Operations for Cyberoam, where we discuss the attack on Monster.com -- what happened, how it happened, and how best to prevent it.

Tell me a little bit about Cyberoam and what you guys do?

Cyberoam is manufacturer of an identity based unified threat management appliance. It's the next generation of UTM appliances in the market that offers a comprehensive range of security applications like the traditional UTM but adds identity based management to all of the feature sets such that we're able to assist corporations in identifying threats that traditional technology cannot find.

That leads right to the next question. Tell me a little bit about this attack that was generated from Monster.com.

So, the attack on Monster.com is really something of a landmark in the market today. This is the use of multiple types of attacks to, not only compromise data from an organization but then to also use that data to exercise a phishing operation to garner additional information and potentially money from individuals from the compromised data.

Do you have an idea or does anyone have any idea where this attack originated from or who started it?

From everything that I've read so far, I haven't seen any results as to who started the attack but it certainly lends itself to kind of normal suspects: that being either a disgruntled employee that had left the organization with knowledge of how to get a Trojan on the website. It's potentially an outside individual working with an individual on the inside to post that information on the website or it's just a hacker that's out there who compromised the website as we have come to realize it's not the most challenging task in today's world to compromise any company's website.

To me this seems like a fairly sophisticated multi-staged attack. Is this what we're going to see pretty much in the future now?

Yeah, I do think we are going to see these types of attacks and these are extremely sophisticated attacks. What makes these types of attacks so dangerous is that, not only was the information on Monster's website compromised whereby the user now has extremely personal data about a number of individuals obviously looking at a very large number of individuals' personal data was taken but considering the source of where the data came from, you can imagine if you had gone to Monster.com and posted your personal resume, not only do you have information about yourself: name, address, phone number, you also have the University that you attended, you have all the former employers that you worked for, and so what makes this very dangerous to someone who is then going to turn around and use the information for phishing is that it's not just you're typical phishing attack that today's type of heuristic technology can capture and alert the user to but because now this organization, this individual has very, very personal data.

I can now execute a spear phishing campaign and an example of that would be: think of how very credible an email would be that's personalized to all of those individuals that was being sent by their alma mater requesting a $100 donation from them and utilizing a lot of that very personal information: dates attended, graduated, names, all of that can make this a very plausible email such that even the most educated user could be fooled into clicking on that link and making a donation.

Exactly what should a company do to protect against this? What should have Monster done and what should a typical enterprise do?

Sure, so I can't necessarily say that there's anything that Monster could have done because I don't think enough companies are, you know, or were thinking about this kind of attack actually happening but now it's happened. So, I think the first step that companies need to take to prevent these types of attacks is to know, know that it's happened, acknowledge that these types of attacks will happen and education is the first step. They need to incorporate into their corporate culture the education to their employees that these types of attacks are now going to happen, to make people aware of them and question the type of email, very, very carefully before responding to any type of very targeted emails that are asking for personal information, whether coming from the corporation or coming from an outside party.

I think that that is absolutely a first step and, you know, in the comment that I just made, it alludes to where these attacks may even be going. You know, today, this is an attack on a public website that's very global in scope, the users that were compromised were from all over the world for that matter, people that came to Monster to register there for a job. Now, take an example to a very private organization where someone, and let's say it is now a disgruntled employee who works for a major corporation leaves and does the same thing. They put something on the website that requests information, for instance, they put something on the website that captures information and then utilizing the database of employees, they now send an email out, maybe on behalf of the Human Resource department that asks people to provide their Social Security number to confirm their benefits. Or some other type of activity and maybe it's not money at that point but it's something that leads ultimately, usually in the end to money.

I've got your Social Security number, now I know where you live, I know your name and address, I can now take that information and potentially now do a credit check, I can now look at all of your credit card information, now I know what credit cards you own, now I can do even further spear phishing exercises to get even more information, ultimately, which typically end with soliciting that particular user for money, I mean, at the end of the day, that's really where all this leads to. It really is discerning at this point to see that these types of attacks are now happening and what can companies do about it as you asked, Peter.

The technology that we have here at Cyberoam is being used in conjunction with technology that is available, as I mentioned, to heuristically look at emails that are identifying potential phishing. So, although our solution today cannot provide a solution for companies to prevent these types of attacks, we have been, for quite some time now, taking the heuristic technology that detects a phishing attack and using our expertise in identifying who the individuals are on our network and marrying those technologies together to provide ways to better discern when these types of attacks are taking place. So, to further explain, one of the ways in which a good hacker will make the attack go unknown is certainly to change the email from email to email and the tools are available to change by the subject and to also change the content and for every message that goes out, it changes. But, some of the things that we can do with identity married with heuristics can look for a trend, maybe that they're using an IP address in the body of the message which is a red flag to most of the heuristic detections that's looking for phishing attacks because they haven't used the fully qualified domain name in the email and also understanding within the corporation, "Am I seeing an email like this being sent to multiple users within my domain?"

And, again, that's something that's not being done today that we believe can be accomplished with the culmination of technologies that exist and we feel that our platform, because we are a platform that is based on identity, we have the ability to roll out these types of new preventative measures to combat these types of attacks down the road.

Leave a comment

Peter Schooff's blog is a daily look at what's going on in the world of computer security with an emphasis on how it affects businesses.

Peter Schooff

Peter Schooff is Contributing Editor at ebizQ, and manager of the ebizQ Forum. Contact him at pschooff@techtarget.com

Recently Commented On

Monthly Archives

Blogs

ADVERTISEMENT