Hackers Turn to Corporate Data

Security experts expect advanced malware to increase attacks against businesses.

Among the list of bills introduced with the opening of the U.S. Congress Jan. 5 were two filed by Sen. Dianne Feinstein, D-Calif., aimed at forcing companies to better protect consumer information and publicly report any potential mishandlings.

However, according to a range of IT security researchers, businesses should be just as fearful of having their own valuable data stolen by hackers as they are of losing customer records, as malware writers apparently are ramping efforts to create attacks targeting corporate information.

While researchers have identified myriad viruses aimed at stealing consumer information, there are fewer examples that illustrate this growing focus on stealing business data. Still, experts say there is plenty of evidence that the trend is gaining momentum.

"Theres no doubt that this type of activity is becoming more popular," said Dan Hubbard, vice president of security research at malware filtering specialists Websense, in San Diego. "Weve seen a lot more samples and kits, and real code, that is clearly designed to do things like grab files from local systems, to look for specific types of files used in business operations, and the valuable information in those files."

In addition to viruses designed to find business documents such as spreadsheets and manufacturing templates, Websense has also seen attacks aimed at companies in specific vertical markets, most notably the aerospace industry, Hubbard said. Unlike many of the attacks designed to dupe consumers into handing over their personal details, many of the enterprise data-theft programs display a level of complexity that shows a deep professionalism on the part of those writing the threats.

"A lot of the code were seeing is very sophisticated," Hubbard said. "Some use encryption to hide the stolen data as it is being sent out of the corporate network, others clearly target specific types of workers who have access to valuable data, such as product designers, and others are using unknown zero-day flaws in popular software programs to find a way in the door."

Researchers at anti-virus specialist McAfee, in Santa Clara, Calif., said they recently observed a zero-day attack aimed at three specific users within one company. The level of granularity displayed in such an attack may become the norm in the near future, said Dave Marcus, security research and communications manager for McAfee Avert Labs.

"There have been attacks aimed at businesses as long as there has been malware, but this was a precision surgical strike that was very professional and well-orchestrated," said Marcus. "Its hard to say if these types of attacks are growing in volume, but they are certainly growing in terms of sophistication."

Other security researchers said they have seen similar patterns. While hackers arent shifting their focus away from programs that target consumers—the volume of those threats continues to grow—attacks that try to steal corporate passwords, such as the Infostealer.Ldpinch virus, discovered in late 2003, are becoming a regular occurrence, said Ron OBrien, senior security analyst with anti-virus vendor Sophos, in Burlington, Mass.

In addition to password theft attempts, researchers are finding that hackers are aiming their sites at enterprises VOIP (voice over IP) systems to eavesdrop on private conversations, and creating attacks that look for sensitive information passing through instant messaging applications and even corporate data stored on more powerful mobile devices such as smart phones.

"Were still seeing these in fairly low volumes, but the value of hacking your way into a corporate PC will ultimately be much higher to malware writers, as they can almost assuredly remove sensitive information that is worth something to the business or an outsider," said OBrien. "I believe well see a lot more of these attacks that try to get onto corporate networks and phone home valuable business data."

Along with stealing information, there are several different types of emerging ransomware attacks against businesses that seek to access and obscure valuable information. The programs, which most often operate as virtual extortion schemes, sometimes encrypt sensitive information and threaten to keep it locked down until the hacker involved is paid off.

Ransomware artists have also begun playing on fears of noncompliance with consumer information handling laws, threatening to expose companies to the types of laws proposed by Feinstein and other U.S. lawmakers by forcing them to report breaches to customers and the press.

"Extortion is age-old stuff, but its becoming more dangerous in the sense that the ransomware is becoming far more complex," said Shane Coursen, senior tech consultant with Kaspersky Lab, in Woburn, Mass.