When InfoSec Companies are Targeted
One of the perils of being an Information Security company is that they become targets of the individuals and groups that produce malware and engage in illegal online activity. Antivirus and antimalware vendors have been targets of this sort of activity for a long time, with a high percentage of current malware actively preventing infected systems from connecting to antivirus, system, antimalware and major software vendors - hoping to prevent the detection and removal of the malware. Some malware variants have even gone so far as to trigger a payload of what amounts to a distributed Denial of Service attack (dDoS) against specific targets, with each infected machine attempting to connect to specific company websites at certain times.
Other attacks can be more obvious. In the space of 24 hours recently, WhiteDust, InfoSec Sellout, and Sûnnet Beskerming were all victims of various attacks from unrelated parties. WhiteDust and InfoSec Sellout had compromises to their online presence, with attackers replacing arbitrary content on the main Internet sites associated with each entity, and Sûnnet Beskerming being targeted with a 'Joe Job' spam run.
The attack against WhiteDust originally resulted in the arbitrary replacement of news articles and site content, suggesting that the attacker had either gained administrator access to the site, or was using a set of SQL injection opportunities to modify backend database content. In the time since the attack was first identified, the WhiteDust site has gone completely offline, leaving only the following message:
14 August 2007 - 23:58 GMT
With the industry and those in it so seemingly hostile to Whitedust, and
pure apathy from anyone who thinks otherwise. Why bother. This site is
now closed permanently. It's staff have abandoned the scene and the industry
for real world projects - for good, you won't be seeing us again. You "Won".
Good luck out there. You'll need it.
At this time it is not known whether this is a message from the attacker, or from WhiteDust staff (there has been no response from WhiteDust at this time).
The InfoSec Sellout site was in the process of being reinstated after accidental deletion when unknown parties appeared to take control of the site and delete the content that had been replaced. As with WhiteDust, this is not the limit of the disruption to normal site operations, with the attacker taking the opportunity to fill the site with spam content which is still in place at the time of writing this article.
Sûnnet Beskerming, meanwhile, was victim to a major 'Joe Job' spam run. A 'Joe Job' is when a spammer falsifies the 'Return' or 'From' address in their spam emails. Not only does this act as a cover for the true origin of the spam, but it also means that the innocent victim receives heavy email traffic from bounced and rejected spam. At its peak, Sûnnet Beskerming was receiving 50-100 messages per minute, just from bounced replies.
It is worrying that although the industry understands the concepts and limitations of a 'Joe Job' many systems will still trust in the falsified data and still cause problems, years after it was known how 'Joe Job' attacks work. This is something that email protection systems should be taking care of, by default.
16 August 2007
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.Comments will soon be available for registered users.