Question

An advisory practice was the target of an attack, whereby the malware allowed the fraudster to gain access to an adviser’s login details for all systems he had used recently. The fraudster now had access to every website or account that required a login. This included personal banking, platform desktop software, Xplan software and Facebook. The next time the adviser tried to log in to his platform desktop software, he was locked out. He rang our account executive team to report his access was locked. He couldn’t login, even though he was using his correct user name and password. The platform reset his password. The next day when the adviser tried again to login, he was locked out of the system again. It became obvious that the adviser’s user ID had been compromised. At this point, the user ID was deleted.

1. Identify the malware attack experienced in the above scenario

2. What recommendations would you provide for preventing such type of attacks? The recommendations should be discussed individually for the scenario and should not be a general list of recommendations?

Answer 1

Answer to Question (a):

The type of attack happened here is actually the Password attack to steal the user name and passwords to gain unauthorized entry into systems. This might have caused for several reasons, like

a. Dictionary attack (applicable if the user used weak common password) that takes advantage of the fact that the people tend to use common words and short passwords. Attackers use a list of common words, the dictionary, and tries them against username and password.

b. Brute Force Attack (applicable if the user used weak short password) where the attackers use a computer program to login to a user’s account with all possible password combinations, starting with the easiest-to-guess passwords.

c. Traffic interception (applicable in the absence of strong and secure malware removal tools) where the attackers use software such as packet sniffers to monitor network traffic and capture passwords as they’re passed.

d. Man in the Middle (applicable in the absence of strong network security and encryption mechanisms) where the attacker’s program does not just monitor information being passed but actively inserts itself in the middle of the interaction, usually by impersonating a website or app. This allows the program to capture the user’s credentials and other sensitive information.

e. Key logger attack (applicable in the absence of strong and secure malware removal tools) allows attackers to install spyware or trojans that tracks the user’s keystrokes and other activities, enabling the criminal to gather not only the username and password for an account but exactly which website or app the user was logging into with the credentials.

f. Social engineering attacks (applicable in the absence of strong and secure malware removal tools and lack of awareness or ignorance of employee) use a broad range of tactics like phishing, spear phishing, baiting, quid quo pro, etc., to obtain information from users.

g. Hash injection attack (applicable in the absence of strong and secure malware removal tools and lack of awareness or ignorance of employee) where the attacker injects a compromised hash into a local session and uses it to retrieve the domain admin account hash. To log on to the domain controller, use the extracted hash.

h. Replay attacks (applicable in the absence of strong and secure malware removal tools and lack of awareness or ignorance of employee) where packets and authentication captured using a sniffer are used to extract relevant information, and then they are placed on the network to gain access

i. Rule-based attack (applicable in the absence of strong and secure malware removal tools and lack of awareness or ignorance of employee) is usually performed after receiving information about the password.

.

Answer to Question (b):

Specific recommendations to protect password attack in the given case include:

a. Use of strong passwords for all applications including Xplan, Social Media and email accounts, bank accounts, desktop applications, etc., with a mix of upper and lowercase characters, numbers, and special characters by avoiding common words and common phrases and site-specific words.

b. Educate the employees against the possible social engineering tactics and how to recognize them. The employees must be made aware of the possible threats and their likely catastrophic impacts on the company.

c. Implement multi-factor user authentication, including biometric authentications like finger print, voice, retinal identification, face recognition, etc.

d. Use antivirus software and firewalls with future-proof and scalable security features

e. System personal must stick to the regular practice of updating systems, applications and devices.

f. Implement back-up and recovery provisions.

g. Procure networks monitoring tools to identify and alarm possible security breaches.