SlideShare ist ein Scribd-Unternehmen logo

Invincea fake british airways ticket spear-phish malware 03-21-2014

Invincea, Inc.
Invincea, Inc.

Invincea detects and blocks a Zeus malware spear-phish disguised as a British Airways fake ticket receipt. Information security and endpoint protection benefits from Invincea.

Technologie
1 von 30
Fake British AirwaysTicket Receipt a spear-phish malware analysis by InvinceaThreat Research Group Analyst: ARMON BAKHSHI CHRIS CARLSON DIRECTOR, PRODUCT MARKETING, INVINCEA MAR 21 2014
Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. (Wikipedia) First, some definitions…
Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. (Wikipedia) Spear phishing Phishing attempts directed at specific individuals or companies with a malicious payload First, some definitions…
“95% of all attacks on enterprise networks are the result of successful spear-phishing.” (Allen Paller, director of research, SANS Institute)
WHY a 95% success rate?? BECAUSE USERS LOVE…TO…CLICK...! Sending at least 18 emails in a spear- phishing campaign guarantees at least one click! (Verizon Data Breach Investigations Report – 2013)
Spear-phishing attacks are looking more official all the time…. 2011 Fairly rudimentary – sending fromYahoo, no images, spelling/typos, etc.
Spear-phishing attacks are looking more official all the time…. 2011 2013 Fairly rudimentary – sending fromYahoo, no images, spelling/typos, etc. Very advanced – forged “from” address, embedded images, looks official
What we found… an Invincea customer forwarded a suspicious email to our Threat Research Group…
Let’s analyze it visually first… Plain text email
Let’s analyze it visually first… Plain text email No personalization
Let’s analyze it visually first… Plain text email No personalization UK company, but not using European time/date formats
Let’s analyze it visually first… Plain text email No personalization UK company, but not using European time/date formats Formatting looks amateurish
Let’s analyze it visually first… Plain text email No personalization UK company, but not using European time/date formats Formatting looks amateurish
And the dead giveaway…! The actual URL is not real website for British Airways: “hxxp://topdynamic[.]hu/cache/ pdf_ba_ticket_4W2KUA.zip
And the dead giveaway…! The actual URL is not real website for British Airways: “hxxp://topdynamic[.]hu/cache/ pdf_ba_ticket_4W2KUA.zip
We used our own product – Invincea FreeSpace – to analyze the malware. FreeSpace creates a secure virtual container to isolate the malware from the host operating system.
We unzipped the ZIP file and opened the PIF file in the FreeSpace secure virtual container to let the malware execute.
Malware renamed and moved itself And this is what we found….
Malware renamed and moved itself Created a batch file to delete itself on launch And this is what we found….
Malware renamed and moved itself Created a batch file to delete itself on launch Created another file And this is what we found….
It’s still going…. Injected code into all running processes
Now we know that this is malware executing. Let’s look up more details on the malware through integration with our partner, ThreatGRID: 100% confidence of a Zeus banking Trojan family variant
Summary of Analysis: - This was not a zero-day attack, but is still effective o If it was zero-day, Invincea can still contain and detect zero- day attacks because we analyze behavior, not signatures
Summary of Analysis: - This was not a zero-day attack, but is still effective o If it was zero-day, Invincea can still contain and detect zero- day attacks because we analyze behavior, not signatures - It was a variant of an existing “Zeus Gameover” bankingTrojan that one can buy cheaply on the black-market o Logging keystrokes o Steal bank credentials o Launch distributed denial-of-service (DDoS) against financial institutions
Summary of Analysis: - This was not a zero-day attack, but is still effective o If it was zero-day, Invincea can still contain and detect zero- day attacks because we analyze behavior, not signatures - It was a variant of an existing “Zeus Gameover” bankingTrojan that one can buy cheaply on the black-market o Logging keystrokes o Steal bank credentials o Launch distributed denial-of-service (DDoS) against financial institutions - If the payload was encrypted and opened on the client endpoint, it would sneak past perimeter control systems and execute successfully – need endpoint protection!
And now the clean-up… Simply closing the infected, contained application removes all traces of the malware. This is not a re-image – the machine was never infected in the first place. Everything was contained inside the Invincea FreeSpace container.
And now the clean-up… Simply closing the infected, contained application removes all traces of the malware. This is not a re-image – the machine was never infected in the first place. Everything was contained inside the Invincea FreeSpace container. Delete infected container
And now the clean-up… Simply closing the infected, contained application removes all traces of the malware. This is not a re-image – the machine was never infected in the first place. Everything was contained inside the Invincea FreeSpace container. Delete infected container
And now the clean-up… Simply closing the infected, contained application removes all traces of the malware. This is not a re-image – the machine was never infected in the first place. Everything was contained inside the Invincea FreeSpace container. Delete infected container < 1 second
See more malware analysis “Killed in Action” (KIA) at: http://www.invincea.com/category/kia/ And learn more about Invincea at: http://www.invincea.com/why-invincea/

Empfohlen

Tech ThrowDown: Invincea FreeSpace vs EMET 5.0
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0Tech ThrowDown: Invincea FreeSpace vs EMET 5.0
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0Invincea, Inc.
 
Break IT Down by Josh Smith
Break IT Down by Josh SmithBreak IT Down by Josh Smith
Break IT Down by Josh SmithEC-Council
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...EC-Council
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksEC-Council
 
The Lazy Attacker: Defending Against Broad-based Cyber Attacks
The Lazy Attacker: Defending Against Broad-based Cyber AttacksThe Lazy Attacker: Defending Against Broad-based Cyber Attacks
The Lazy Attacker: Defending Against Broad-based Cyber AttacksAlienVault
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston HeckerEC-Council
 
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015 Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015 Lastline, Inc.
 
Malware self protection-matrix
Malware self protection-matrixMalware self protection-matrix
Malware self protection-matrixCyphort
 

Empfohlen

Tech ThrowDown: Invincea FreeSpace vs EMET 5.0
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0Tech ThrowDown: Invincea FreeSpace vs EMET 5.0
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0Invincea, Inc.
 
Break IT Down by Josh Smith
Break IT Down by Josh SmithBreak IT Down by Josh Smith
Break IT Down by Josh SmithEC-Council
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...EC-Council
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksEC-Council
 
The Lazy Attacker: Defending Against Broad-based Cyber Attacks
The Lazy Attacker: Defending Against Broad-based Cyber AttacksThe Lazy Attacker: Defending Against Broad-based Cyber Attacks
The Lazy Attacker: Defending Against Broad-based Cyber AttacksAlienVault
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston HeckerEC-Council
 
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015 Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015 Lastline, Inc.
 
Malware self protection-matrix
Malware self protection-matrixMalware self protection-matrix
Malware self protection-matrixCyphort
 
Top 10 exploited vulnerabilities 2019 (thus far...)
Top 10 exploited vulnerabilities 2019 (thus far...) Top 10 exploited vulnerabilities 2019 (thus far...)
Top 10 exploited vulnerabilities 2019 (thus far...) Jonathan Cran
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesImperva
 
The Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityThe Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityDragos, Inc.
 
2019 Cybersecurity Retrospective and a look forward to 2020
2019 Cybersecurity Retrospective and a look forward to 20202019 Cybersecurity Retrospective and a look forward to 2020
2019 Cybersecurity Retrospective and a look forward to 2020Jonathan Cran
 
Intro to Malware Analysis
Intro to Malware AnalysisIntro to Malware Analysis
Intro to Malware Analysiswremes
 
Detection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day ThreatsDetection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day ThreatsInvincea, Inc.
 
How secure are your systems
How secure are your systemsHow secure are your systems
How secure are your systemsCity Unrulyversity
 
Watering Hole Attacks: Detect End-User Compromise Before the Damage is Done
Watering Hole Attacks: Detect End-User Compromise Before the Damage is DoneWatering Hole Attacks: Detect End-User Compromise Before the Damage is Done
Watering Hole Attacks: Detect End-User Compromise Before the Damage is DoneAlienVault
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware AnalysisRamin Farajpour Cami
 
DeepLocker - Concealing Targeted Attacks with AI Locksmithing
DeepLocker - Concealing Targeted Attacks with AI LocksmithingDeepLocker - Concealing Targeted Attacks with AI Locksmithing
DeepLocker - Concealing Targeted Attacks with AI LocksmithingPriyanka Aash
 
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016grecsl
 
Take the Ransom Out of Ransomware
Take the Ransom Out of RansomwareTake the Ransom Out of Ransomware
Take the Ransom Out of RansomwareUnitrends
 
Understanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case StudyUnderstanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case Studysecurityxploded
 
Threat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainThreat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainSuwitcha Musijaral CISSP,CISA,GWAPT,SNORTCP
 
What endpoint protection solutions are available on the market today?
What endpoint protection solutions are available on the market today?What endpoint protection solutions are available on the market today?
What endpoint protection solutions are available on the market today?David Strom
 
Malware Evasion Techniques
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion TechniquesThomas Roccia
 
Cybersecurity
CybersecurityCybersecurity
CybersecurityUmairFirdous
 
Hunting Layered Malware by Raul Alvarez
Hunting Layered Malware by Raul AlvarezHunting Layered Malware by Raul Alvarez
Hunting Layered Malware by Raul AlvarezEC-Council
 
Defender economics
Defender economicsDefender economics
Defender economicsaddelindh
 
Industry reactions to wanna cry ransomware attacks
Industry reactions to wanna cry ransomware attacksIndustry reactions to wanna cry ransomware attacks
Industry reactions to wanna cry ransomware attackskevinmass30
 
Information security a new era technology_
Information security a new era technology_Information security a new era technology_
Information security a new era technology_Tahmid Munaz
 
The case for social media management and archiving
The case for social media management and archivingThe case for social media management and archiving
The case for social media management and archivingActiance, Inc.
 

Weitere ähnliche Inhalte

Was ist angesagt?

Top 10 exploited vulnerabilities 2019 (thus far...)
Top 10 exploited vulnerabilities 2019 (thus far...) Top 10 exploited vulnerabilities 2019 (thus far...)
Top 10 exploited vulnerabilities 2019 (thus far...) Jonathan Cran
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesImperva
 
The Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityThe Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityDragos, Inc.
 
2019 Cybersecurity Retrospective and a look forward to 2020
2019 Cybersecurity Retrospective and a look forward to 20202019 Cybersecurity Retrospective and a look forward to 2020
2019 Cybersecurity Retrospective and a look forward to 2020Jonathan Cran
 
Intro to Malware Analysis
Intro to Malware AnalysisIntro to Malware Analysis
Intro to Malware Analysiswremes
 
Detection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day ThreatsDetection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day ThreatsInvincea, Inc.
 
Watering Hole Attacks: Detect End-User Compromise Before the Damage is Done
Watering Hole Attacks: Detect End-User Compromise Before the Damage is DoneWatering Hole Attacks: Detect End-User Compromise Before the Damage is Done
Watering Hole Attacks: Detect End-User Compromise Before the Damage is DoneAlienVault
 
DeepLocker - Concealing Targeted Attacks with AI Locksmithing
DeepLocker - Concealing Targeted Attacks with AI LocksmithingDeepLocker - Concealing Targeted Attacks with AI Locksmithing
DeepLocker - Concealing Targeted Attacks with AI LocksmithingPriyanka Aash
 
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016grecsl
 
Take the Ransom Out of Ransomware
Take the Ransom Out of RansomwareTake the Ransom Out of Ransomware
Take the Ransom Out of RansomwareUnitrends
 
Understanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case StudyUnderstanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case Studysecurityxploded
 
What endpoint protection solutions are available on the market today?
What endpoint protection solutions are available on the market today?What endpoint protection solutions are available on the market today?
What endpoint protection solutions are available on the market today?David Strom
 
Malware Evasion Techniques
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion TechniquesThomas Roccia
 
Hunting Layered Malware by Raul Alvarez
Hunting Layered Malware by Raul AlvarezHunting Layered Malware by Raul Alvarez
Hunting Layered Malware by Raul AlvarezEC-Council
 
Defender economics
Defender economicsDefender economics
Defender economicsaddelindh
 
Industry reactions to wanna cry ransomware attacks
Industry reactions to wanna cry ransomware attacksIndustry reactions to wanna cry ransomware attacks
Industry reactions to wanna cry ransomware attackskevinmass30
 

Was ist angesagt? (20)

Top 10 exploited vulnerabilities 2019 (thus far...)
Top 10 exploited vulnerabilities 2019 (thus far...) Top 10 exploited vulnerabilities 2019 (thus far...)
Top 10 exploited vulnerabilities 2019 (thus far...)
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known Vulnerabilities
 
The Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityThe Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial Security
 
2019 Cybersecurity Retrospective and a look forward to 2020
2019 Cybersecurity Retrospective and a look forward to 20202019 Cybersecurity Retrospective and a look forward to 2020
2019 Cybersecurity Retrospective and a look forward to 2020
 
Intro to Malware Analysis
Intro to Malware AnalysisIntro to Malware Analysis
Intro to Malware Analysis
 
Detection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day ThreatsDetection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day Threats
 
How secure are your systems
How secure are your systemsHow secure are your systems
How secure are your systems
 
Watering Hole Attacks: Detect End-User Compromise Before the Damage is Done
Watering Hole Attacks: Detect End-User Compromise Before the Damage is DoneWatering Hole Attacks: Detect End-User Compromise Before the Damage is Done
Watering Hole Attacks: Detect End-User Compromise Before the Damage is Done
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware Analysis
 
DeepLocker - Concealing Targeted Attacks with AI Locksmithing
DeepLocker - Concealing Targeted Attacks with AI LocksmithingDeepLocker - Concealing Targeted Attacks with AI Locksmithing
DeepLocker - Concealing Targeted Attacks with AI Locksmithing
 
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
 
Take the Ransom Out of Ransomware
Take the Ransom Out of RansomwareTake the Ransom Out of Ransomware
Take the Ransom Out of Ransomware
 
Understanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case StudyUnderstanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case Study
 
Threat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainThreat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill Chain
 
What endpoint protection solutions are available on the market today?
What endpoint protection solutions are available on the market today?What endpoint protection solutions are available on the market today?
What endpoint protection solutions are available on the market today?
 
Malware Evasion Techniques
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion Techniques
 
Cybersecurity
CybersecurityCybersecurity
Cybersecurity
 
Hunting Layered Malware by Raul Alvarez
Hunting Layered Malware by Raul AlvarezHunting Layered Malware by Raul Alvarez
Hunting Layered Malware by Raul Alvarez
 
Defender economics
Defender economicsDefender economics
Defender economics
 
Industry reactions to wanna cry ransomware attacks
Industry reactions to wanna cry ransomware attacksIndustry reactions to wanna cry ransomware attacks
Industry reactions to wanna cry ransomware attacks
 

Andere mochten auch

Information security a new era technology_
Information security a new era technology_Information security a new era technology_
Information security a new era technology_Tahmid Munaz
 
The case for social media management and archiving
The case for social media management and archivingThe case for social media management and archiving
The case for social media management and archivingActiance, Inc.
 
Actiance whitepaper-ost-federal-unified-communications
Actiance whitepaper-ost-federal-unified-communicationsActiance whitepaper-ost-federal-unified-communications
Actiance whitepaper-ost-federal-unified-communicationsActiance, Inc.
 
Why you need to focus on social networking in your company
Why you need to focus on social networking in your companyWhy you need to focus on social networking in your company
Why you need to focus on social networking in your companyActiance, Inc.
 
Social Media and Litigation are Outlining eDiscovery Issues
Social Media and Litigation are Outlining eDiscovery IssuesSocial Media and Litigation are Outlining eDiscovery Issues
Social Media and Litigation are Outlining eDiscovery IssuesActiance, Inc.
 
Compliance Guide for NFA-Registered Firms
Compliance Guide for NFA-Registered FirmsCompliance Guide for NFA-Registered Firms
Compliance Guide for NFA-Registered FirmsActiance, Inc.
 

Andere mochten auch (6)

Information security a new era technology_
Information security a new era technology_Information security a new era technology_
Information security a new era technology_
 
The case for social media management and archiving
The case for social media management and archivingThe case for social media management and archiving
The case for social media management and archiving
 
Actiance whitepaper-ost-federal-unified-communications
Actiance whitepaper-ost-federal-unified-communicationsActiance whitepaper-ost-federal-unified-communications
Actiance whitepaper-ost-federal-unified-communications
 
Why you need to focus on social networking in your company
Why you need to focus on social networking in your companyWhy you need to focus on social networking in your company
Why you need to focus on social networking in your company
 
Social Media and Litigation are Outlining eDiscovery Issues
Social Media and Litigation are Outlining eDiscovery IssuesSocial Media and Litigation are Outlining eDiscovery Issues
Social Media and Litigation are Outlining eDiscovery Issues
 
Compliance Guide for NFA-Registered Firms
Compliance Guide for NFA-Registered FirmsCompliance Guide for NFA-Registered Firms
Compliance Guide for NFA-Registered Firms
 

Ähnlich wie Invincea fake british airways ticket spear-phish malware 03-21-2014

Invincea Dell Protected Workspace blocks Spear-Phish Word-doc-Mar-2014
Invincea Dell Protected Workspace blocks Spear-Phish Word-doc-Mar-2014Invincea Dell Protected Workspace blocks Spear-Phish Word-doc-Mar-2014
Invincea Dell Protected Workspace blocks Spear-Phish Word-doc-Mar-2014Invincea, Inc.
 
Invincea Dell Protected Workspace blocks Spear-Phish Word-doc-Mar-2014
Invincea Dell Protected Workspace blocks Spear-Phish Word-doc-Mar-2014Invincea Dell Protected Workspace blocks Spear-Phish Word-doc-Mar-2014
Invincea Dell Protected Workspace blocks Spear-Phish Word-doc-Mar-2014Invincea, Inc.
 
Panda Adaptive Defense 360 - Cyber Extortion Guide
Panda Adaptive Defense 360 - Cyber Extortion GuidePanda Adaptive Defense 360 - Cyber Extortion Guide
Panda Adaptive Defense 360 - Cyber Extortion GuidePanda Security
 
Viruses ppt finale
Viruses ppt finaleViruses ppt finale
Viruses ppt finalemishrasb4
 
How to Investigate Threat Alerts in Spiceworks!
How to Investigate Threat Alerts in Spiceworks! How to Investigate Threat Alerts in Spiceworks!
How to Investigate Threat Alerts in Spiceworks! AlienVault
 
Cyber threats landscape and defense
Cyber threats landscape and defenseCyber threats landscape and defense
Cyber threats landscape and defensefantaghost
 
Spyware presentation by mangesh wadibhasme
Spyware presentation by mangesh wadibhasmeSpyware presentation by mangesh wadibhasme
Spyware presentation by mangesh wadibhasmeMangesh wadibhasme
 
Ethical hacking : Beginner to advanced
Ethical hacking : Beginner to advancedEthical hacking : Beginner to advanced
Ethical hacking : Beginner to advancedKavin K
 
Identifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting MalwareIdentifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting MalwareTeodoro Cipresso
 
Viruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise NetworksViruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise NetworksDiane M. Metcalf
 
How Seceon could have stopped the Ransomware roll over Kaseya.pptx
How Seceon could have stopped the Ransomware roll over Kaseya.pptxHow Seceon could have stopped the Ransomware roll over Kaseya.pptx
How Seceon could have stopped the Ransomware roll over Kaseya.pptxCompanySeceon
 
What is Ransomware?
What is Ransomware?What is Ransomware?
What is Ransomware?Datto
 
Spyware and adware
Spyware and adwareSpyware and adware
Spyware and adwareRaja Kiran
 
Defend Your Company Against Ransomware
Defend Your Company Against RansomwareDefend Your Company Against Ransomware
Defend Your Company Against RansomwareKevo Meehan
 
Ransomware all locked up book
Ransomware all locked up bookRansomware all locked up book
Ransomware all locked up bookDiego Souza
 
Ransomware by lokesh
Ransomware by lokeshRansomware by lokesh
Ransomware by lokeshLokesh Bysani
 

Ähnlich wie Invincea fake british airways ticket spear-phish malware 03-21-2014 (20)

Invincea Dell Protected Workspace blocks Spear-Phish Word-doc-Mar-2014
Invincea Dell Protected Workspace blocks Spear-Phish Word-doc-Mar-2014Invincea Dell Protected Workspace blocks Spear-Phish Word-doc-Mar-2014
Invincea Dell Protected Workspace blocks Spear-Phish Word-doc-Mar-2014
 
Invincea Dell Protected Workspace blocks Spear-Phish Word-doc-Mar-2014
Invincea Dell Protected Workspace blocks Spear-Phish Word-doc-Mar-2014Invincea Dell Protected Workspace blocks Spear-Phish Word-doc-Mar-2014
Invincea Dell Protected Workspace blocks Spear-Phish Word-doc-Mar-2014
 
Panda Adaptive Defense 360 - Cyber Extortion Guide
Panda Adaptive Defense 360 - Cyber Extortion GuidePanda Adaptive Defense 360 - Cyber Extortion Guide
Panda Adaptive Defense 360 - Cyber Extortion Guide
 
Viruses ppt finale
Viruses ppt finaleViruses ppt finale
Viruses ppt finale
 
How to Investigate Threat Alerts in Spiceworks!
How to Investigate Threat Alerts in Spiceworks! How to Investigate Threat Alerts in Spiceworks!
How to Investigate Threat Alerts in Spiceworks!
 
Cyber threats landscape and defense
Cyber threats landscape and defenseCyber threats landscape and defense
Cyber threats landscape and defense
 
Spyware presentation by mangesh wadibhasme
Spyware presentation by mangesh wadibhasmeSpyware presentation by mangesh wadibhasme
Spyware presentation by mangesh wadibhasme
 
Win64 malware gen
Win64 malware genWin64 malware gen
Win64 malware gen
 
Ethical hacking : Beginner to advanced
Ethical hacking : Beginner to advancedEthical hacking : Beginner to advanced
Ethical hacking : Beginner to advanced
 
Identifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting MalwareIdentifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting Malware
 
Viruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise NetworksViruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise Networks
 
Spyware
SpywareSpyware
Spyware
 
How Seceon could have stopped the Ransomware roll over Kaseya.pptx
How Seceon could have stopped the Ransomware roll over Kaseya.pptxHow Seceon could have stopped the Ransomware roll over Kaseya.pptx
How Seceon could have stopped the Ransomware roll over Kaseya.pptx
 
What is Ransomware?
What is Ransomware?What is Ransomware?
What is Ransomware?
 
Spyware and adware
Spyware and adwareSpyware and adware
Spyware and adware
 
Iss lecture 9
Iss lecture 9Iss lecture 9
Iss lecture 9
 
Defend Your Company Against Ransomware
Defend Your Company Against RansomwareDefend Your Company Against Ransomware
Defend Your Company Against Ransomware
 
Ransomware all locked up book
Ransomware all locked up bookRansomware all locked up book
Ransomware all locked up book
 
Ratzan2
Ratzan2Ratzan2
Ratzan2
 
Ransomware by lokesh
Ransomware by lokeshRansomware by lokesh
Ransomware by lokesh
 

Mehr von Invincea, Inc.

Threats to the Grid | Cyber Challenges Impacting the Energy Sector
Threats to the Grid | Cyber Challenges Impacting the Energy Sector Threats to the Grid | Cyber Challenges Impacting the Energy Sector
Threats to the Grid | Cyber Challenges Impacting the Energy Sector Invincea, Inc.
 
Webcast: The Similarity Evidence Explorer For Malware
Webcast: The Similarity Evidence Explorer For Malware Webcast: The Similarity Evidence Explorer For Malware
Webcast: The Similarity Evidence Explorer For Malware Invincea, Inc.
 
Minimizing Dwell Time On Networks In IR With Tapio
Minimizing Dwell Time On Networks In IR With TapioMinimizing Dwell Time On Networks In IR With Tapio
Minimizing Dwell Time On Networks In IR With TapioInvincea, Inc.
 
Endpoint Security Evasion
Endpoint Security EvasionEndpoint Security Evasion
Endpoint Security EvasionInvincea, Inc.
 
Tech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs WhitelistingTech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs WhitelistingInvincea, Inc.
 
Invincea: Reasoning in Incident Response in Tapio
Invincea: Reasoning in Incident Response in TapioInvincea: Reasoning in Incident Response in Tapio
Invincea: Reasoning in Incident Response in TapioInvincea, Inc.
 
PoS Malware and Other Threats to the Retail Industry
PoS Malware and Other Threats to the Retail IndustryPoS Malware and Other Threats to the Retail Industry
PoS Malware and Other Threats to the Retail IndustryInvincea, Inc.
 
Webinar: Operation DeathClick: Uncovering Micro-Targeted Malvertising Against...
Webinar: Operation DeathClick: Uncovering Micro-Targeted Malvertising Against...Webinar: Operation DeathClick: Uncovering Micro-Targeted Malvertising Against...
Webinar: Operation DeathClick: Uncovering Micro-Targeted Malvertising Against...Invincea, Inc.
 
White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...
White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...
White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...Invincea, Inc.
 
Stop Watering Holes, Spear-Phishing and Drive-by Downloads
Stop Watering Holes, Spear-Phishing and Drive-by DownloadsStop Watering Holes, Spear-Phishing and Drive-by Downloads
Stop Watering Holes, Spear-Phishing and Drive-by DownloadsInvincea, Inc.
 

Mehr von Invincea, Inc. (10)

Threats to the Grid | Cyber Challenges Impacting the Energy Sector
Threats to the Grid | Cyber Challenges Impacting the Energy Sector Threats to the Grid | Cyber Challenges Impacting the Energy Sector
Threats to the Grid | Cyber Challenges Impacting the Energy Sector
 
Webcast: The Similarity Evidence Explorer For Malware
Webcast: The Similarity Evidence Explorer For Malware Webcast: The Similarity Evidence Explorer For Malware
Webcast: The Similarity Evidence Explorer For Malware
 
Minimizing Dwell Time On Networks In IR With Tapio
Minimizing Dwell Time On Networks In IR With TapioMinimizing Dwell Time On Networks In IR With Tapio
Minimizing Dwell Time On Networks In IR With Tapio
 
Endpoint Security Evasion
Endpoint Security EvasionEndpoint Security Evasion
Endpoint Security Evasion
 
Tech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs WhitelistingTech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs Whitelisting
 
Invincea: Reasoning in Incident Response in Tapio
Invincea: Reasoning in Incident Response in TapioInvincea: Reasoning in Incident Response in Tapio
Invincea: Reasoning in Incident Response in Tapio
 
PoS Malware and Other Threats to the Retail Industry
PoS Malware and Other Threats to the Retail IndustryPoS Malware and Other Threats to the Retail Industry
PoS Malware and Other Threats to the Retail Industry
 
Webinar: Operation DeathClick: Uncovering Micro-Targeted Malvertising Against...
Webinar: Operation DeathClick: Uncovering Micro-Targeted Malvertising Against...Webinar: Operation DeathClick: Uncovering Micro-Targeted Malvertising Against...
Webinar: Operation DeathClick: Uncovering Micro-Targeted Malvertising Against...
 
White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...
White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...
White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...
 
Stop Watering Holes, Spear-Phishing and Drive-by Downloads
Stop Watering Holes, Spear-Phishing and Drive-by DownloadsStop Watering Holes, Spear-Phishing and Drive-by Downloads
Stop Watering Holes, Spear-Phishing and Drive-by Downloads
 

Kürzlich hochgeladen

WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 

Kürzlich hochgeladen (20)

WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 

Invincea fake british airways ticket spear-phish malware 03-21-2014

  • 1. Fake British AirwaysTicket Receipt a spear-phish malware analysis by InvinceaThreat Research Group Analyst: ARMON BAKHSHI CHRIS CARLSON DIRECTOR, PRODUCT MARKETING, INVINCEA MAR 21 2014
  • 2. Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. (Wikipedia) First, some definitions…
  • 3. Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. (Wikipedia) Spear phishing Phishing attempts directed at specific individuals or companies with a malicious payload First, some definitions…
  • 4. “95% of all attacks on enterprise networks are the result of successful spear-phishing.” (Allen Paller, director of research, SANS Institute)
  • 5. WHY a 95% success rate?? BECAUSE USERS LOVE…TO…CLICK...! Sending at least 18 emails in a spear- phishing campaign guarantees at least one click! (Verizon Data Breach Investigations Report – 2013)
  • 6. Spear-phishing attacks are looking more official all the time…. 2011 Fairly rudimentary – sending fromYahoo, no images, spelling/typos, etc.
  • 7. Spear-phishing attacks are looking more official all the time…. 2011 2013 Fairly rudimentary – sending fromYahoo, no images, spelling/typos, etc. Very advanced – forged “from” address, embedded images, looks official
  • 8. What we found… an Invincea customer forwarded a suspicious email to our Threat Research Group…
  • 9. Let’s analyze it visually first… Plain text email
  • 10. Let’s analyze it visually first… Plain text email No personalization
  • 11. Let’s analyze it visually first… Plain text email No personalization UK company, but not using European time/date formats
  • 12. Let’s analyze it visually first… Plain text email No personalization UK company, but not using European time/date formats Formatting looks amateurish
  • 13. Let’s analyze it visually first… Plain text email No personalization UK company, but not using European time/date formats Formatting looks amateurish
  • 14. And the dead giveaway…! The actual URL is not real website for British Airways: “hxxp://topdynamic[.]hu/cache/ pdf_ba_ticket_4W2KUA.zip
  • 15. And the dead giveaway…! The actual URL is not real website for British Airways: “hxxp://topdynamic[.]hu/cache/ pdf_ba_ticket_4W2KUA.zip
  • 16. We used our own product – Invincea FreeSpace – to analyze the malware. FreeSpace creates a secure virtual container to isolate the malware from the host operating system.
  • 17. We unzipped the ZIP file and opened the PIF file in the FreeSpace secure virtual container to let the malware execute.
  • 18. Malware renamed and moved itself And this is what we found….
  • 19. Malware renamed and moved itself Created a batch file to delete itself on launch And this is what we found….
  • 20. Malware renamed and moved itself Created a batch file to delete itself on launch Created another file And this is what we found….
  • 21. It’s still going…. Injected code into all running processes
  • 22. Now we know that this is malware executing. Let’s look up more details on the malware through integration with our partner, ThreatGRID: 100% confidence of a Zeus banking Trojan family variant
  • 23. Summary of Analysis: - This was not a zero-day attack, but is still effective o If it was zero-day, Invincea can still contain and detect zero- day attacks because we analyze behavior, not signatures
  • 24. Summary of Analysis: - This was not a zero-day attack, but is still effective o If it was zero-day, Invincea can still contain and detect zero- day attacks because we analyze behavior, not signatures - It was a variant of an existing “Zeus Gameover” bankingTrojan that one can buy cheaply on the black-market o Logging keystrokes o Steal bank credentials o Launch distributed denial-of-service (DDoS) against financial institutions
  • 25. Summary of Analysis: - This was not a zero-day attack, but is still effective o If it was zero-day, Invincea can still contain and detect zero- day attacks because we analyze behavior, not signatures - It was a variant of an existing “Zeus Gameover” bankingTrojan that one can buy cheaply on the black-market o Logging keystrokes o Steal bank credentials o Launch distributed denial-of-service (DDoS) against financial institutions - If the payload was encrypted and opened on the client endpoint, it would sneak past perimeter control systems and execute successfully – need endpoint protection!
  • 26. And now the clean-up… Simply closing the infected, contained application removes all traces of the malware. This is not a re-image – the machine was never infected in the first place. Everything was contained inside the Invincea FreeSpace container.
  • 27. And now the clean-up… Simply closing the infected, contained application removes all traces of the malware. This is not a re-image – the machine was never infected in the first place. Everything was contained inside the Invincea FreeSpace container. Delete infected container
  • 28. And now the clean-up… Simply closing the infected, contained application removes all traces of the malware. This is not a re-image – the machine was never infected in the first place. Everything was contained inside the Invincea FreeSpace container. Delete infected container
  • 29. And now the clean-up… Simply closing the infected, contained application removes all traces of the malware. This is not a re-image – the machine was never infected in the first place. Everything was contained inside the Invincea FreeSpace container. Delete infected container < 1 second
  • 30. See more malware analysis “Killed in Action” (KIA) at: http://www.invincea.com/category/kia/ And learn more about Invincea at: http://www.invincea.com/why-invincea/