lunes, septiembre 03, 2007

Seguridad en Internet, últimas noticias

Desde hace años, tengo una cuenta en Monster, que alguna vez usé para iniciar conversaciones con una empresa en Texas, y que siempre me ha servido para conocer el estado del mercado informático en Estados Unidos, Canadá, y, en menor medida, en España. Como usuario, en los últimos días recibí una nota de la compañía reconociendo que fueron blanco de un ataque que obtuvo datos de empleadores, con incertidumbre del real alcance del ataque. Ya conocía su existencia, que fue alertado también por Symantec. El punto más notable de la nota es su reconocimiento de la imposibilidad de determinar el alcance de la entrada en sus datos. Así lo comunicó Monster:
Protecting the job seekers who use our website is a top priority, and we value the trust you place in Monster. Regrettably, opportunistic criminals are increasingly using the Internet for illegitimate purposes. As is the case with many companies that maintain large databases of information, Monster is from time to time subject to attempts to illegally extract information from its database.
As you may be aware, the Monster resume database was recently the target of malicious activity that involved the illegal downloading of information such as names, addresses, phone numbers, and email addresses for some of our job seekers with resumes posted on Monster sites. Monster responded to this specific incident by conducting a comprehensive review of internal processes and procedures, notified those job seekers that their contact records had been downloaded illegally, and shut down a rogue server that was hosting these records.
The Company has determined that this incident is not the first time Monster's database has been the target of criminal activity. Due to the significant amount of uncertainty in determining which individual job seekers may have been impacted, Monster felt that it was in your best interest to take the precautionary steps of reaching out to you and all Monster job seekers regarding this issue. Monster believes illegally downloaded contact information may be used to lure job seekers into opening a "phishing" email that attempts to acquire financial information or lure job seekers into fraudulent financial transactions. This has been the case in similar attacks on other websites.
Como parte de su propósito de salvar lo que se pueda del desastre de esta entrada, Monster ofrece en la misma nota algunas ayudas en casos típicos de fraude que se podrían gestionar a partir de la información ganada por los asaltantes (es decir, lo que vendrá):
Qué dice Symantec sobre el ataque:
Yesterday, we analyzed a sample of a new Trojan, called Infostealer.Monstres, which was attempting to access the online recruitment Web site, Monster.com. It was also uploading data to a remote server. When we accessed this remote server, we found over 1.6 million entries with personal information belonging to several hundred thousand people. We were very surprised that this low profile Trojan could have attacked so many people, so we decided to investigate how the data could have been obtained.
Interestingly, only connections to the hiring.monster.com and recruiter.monster.com subdomains were being made. These subdomains belong to the “Monster for employers” only site, the section used by recruiters and human resources personnel to search for potential candidates, post jobs to Monster, et cetera. This site requires recruiters to log in to view information on candidates.
Upon further investigation, the Trojan appears to be using the (probably stolen) credentials of a number of recruiters to login to the Web site and perform searches for resumes of candidates located in certain countries or working in certain fields. The Trojan sends HTTP commands to the Monster.com Web site to navigate to the Managed Folders section. It then parses the output from a pop-up window containing the profiles of the candidates that match this recruiter’s saved searches.
The personal details of those candidates, such as name, surname, email address, country, home address, work/mobile/home phone numbers and resume ID, are then uploaded to a remote server under the control of the attackers.
This remote server held over 1.6 million entries with personal information belonging to several hundred thousands candidates, mainly based in the US, who had posted their resumes to the Monster.com Web site.
Such a large database of highly personal information is a spammer’s dream. In fact, we found the Trojan can be instructed to send spam email using a mail template downloadable from the command & control server.
The main file used by Infostealer.Monstres, ntos.exe, is also commonly used by Trojan.Gpcoder.E, and both also have a similar icon for the executable file that reproduces the Monster.com company logo—hardly a coincidence.
Furthermore, Trojan.Gpcoder.E has reportedly been spammed in Monster.com phishing emails. These emails were very realistic, containing personal information of the victims. They requested that the recipient download a Monster Job Seeker Tool, which in fact was a copy of Trojan.Gpcoder.E. This Trojan will encrypt files in the affected computer and leaves a text file requesting money to be paid to the attackers in order to decrypt the files. The code for Gpcoder is rather similar to that of Monstres, which may indicate the same hacker group is behind both Trojans.
En la medida en que la información no está en un entorno cerrado, y todo apunta a que difícilmente en el futuro esto cambiará, la exposición a riesgo de fraude sobre una empresa, organización o persona, es alta. Las normas usuales de auditoría informática han cambiado para siempre...Creo que se puede decir que antes que afirmar que nuestro entorno es seguro, primero se debe pensar que no hemos sido de interés para un ataque, o todavía no nos hemos enterado de hasta dónde ha llegado. Quien no dé importancia al problema, está en un error profundo.

No hay comentarios.: