Saturday, August 27, 2011

Researchers Uncover RSA Phishing Attack, Hiding In Plain Sight

Ever since security giant RSA was hacked last March, anti-virus researchers have been trying to get a copy of the malware used for the attack to study its method of infection. But RSA wasn’t cooperating, nor were the third-party forensic experts the company hired to investigate the breach.

This week Finnish security company F-Secure discovered that the file had been under their noses all along. Someone — the company assumes it was an employee of RSA or its parent firm, EMC — had uploaded the malware to an online virus scanning site back on March 19, a little over two weeks after RSA is believed to have been breached on March 3. The online scanner, VirusTotal, shares malware samples it receives with security vendors and malware researchers.

RSA had already revealed that it had been breached after attackers sent two different targeted phishing e-mails to four workers at its parent company EMC. The e-mails contained a malicious attachment that was identified in the subject line as “2011 Recruitment plan.xls.”