Curse of the Were-Laptop

Richmond, Virginia - Sunday 20:00 EST 

The storm outside sent wave after wave of heavy rain drops that banged on the large window, trickling down into the garden bushes below. Distant thunderclaps rolled, making the glass vibrate every other minute, not before the bright flashes of lightning lit Jack's study.

Jack was browsing the Internet, several web pages open on his laptop display. He was scanning the latest private messages in his favorite social network website; one of them was from Sarah, his good friend back from the college days, saying something about a cool video he must watch.

Clicking on the link in the private message made a new page open. Jack immediately recognized the website's logo - it was a popular video sharing site – and waited for the video clip titled 'something funny' to load.

After about ten seconds, a message came up saying the video clip cannot be loaded since the Flash movie program was out of date. The message helpfully suggested to run an update, and Jack didn't think twice before hitting the "Run" button.

The room filled with the blinding flare of lightning, immediately followed by roaring thunder that shook the window glass.

Thirty seconds later, the download process ended and now the video was running just fine. It wasn't that funny – actually, it was pretty bad slapstick. What did Sarah have in mind?

Almaty, Kazakhstan – Monday 07:05 KET

The Zeus Trojan server was crunching the incoming traffic. Information from more than 500 computers out of over 7,000 infected by this particular strand of Zeus operated by a gang of cyber criminals was flowing in simultaneously.

One specific request came from an IP address in Virginia, US. Being a new device, the server opened a new record in the 'users' table for further tracking. A lot of data started to flow in from this new device into the unstructured database; social network data, URLs browsed in a popular news website, access credentials into a well known virtual world - all of these were filed for possible future use… But now came something much more interesting, triggering the structured data indexing script.

Richmond, Virginia - Sunday 20:30 EST

Jack blinked at the page. Other than a user name and password, the bank was now asking for his ATM PIN code. This looked a little odd; why would the bank ask that?

Slightly suspicious, Jack looked carefully at the website address, but it was the real URL. Just to make sure, he double clicked on the small yellow lock, which presented the genuine certificate of the bank.

Sighing to himself, he typed the PIN code, filled the regular login information and clicked submit. He was immediately let inside. Perhaps this is a new requirement, he thought, and then went on to check his balance and last month's transactions.

"Honey, I see a 250 dollars cheque from last week in the statement. Who was this for?" Shouted Jack, hoping his voice will carry to the bedroom, beating both the raindrops and the sound of TV reality show that was playing in the background.

"Wasn't it for your sister? The new baby trolley?" Came the faint response.

"Oh, right", said Jack. He always went in to check his online banking on Sunday evenings. This way if there was anything he wanted done, he could call the bank first thing Monday morning. But now everything seemed in order.

"Are you coming dear? If you'll watch the show with me for ten minutes I promise to let you watch the game all night!"

Jack grinned. Sounds like a good deal… He folded the laptop, putting it in the nice black case his wife bought him recently for his new promotion.

Somewhere in Virginia - Monday 07:45 EST

Surveillance cameras watched the Honda SUV as it approached the main gate. Jack nodded to the guard, opened the window and waved his RFID access tag in front of the new security device implemented earlier this year. He smiled at the small face capture camera, heard the friendly beep and saw the guard nod back. Closing the window, he muttered to himself something about the ridiculous amount of security he had to go through these days.

Driving straight to his designated parking spot, Jack got out of the car. Carrying the laptop case with him, he disappearing into the vast steel and glass building.

* * *

We all know about Lycanthropy, the mythical disease in which victims are bit by werewolves and develop the nasty habit of turning into beasts every full moon. They can live years without realizing they have been infected by a curse.

Today, laptops all over the world have two faces. At day they are plugged into the corporate network, protected by the latest technology. But at night… At night their owners connect them to private broadband, where many predators await.

When a laptop gets infected at home by a Trojan, it poses a unique risk. It becomes a WereLaptop: an unsuspecting carrier of a hidden curse.

Its owner, unaware of the danger, can take the WereLaptop with him or her, walk through the office doors, and plug it into the network.

And then you have a Trojan behind corporate firewalls.

It's almost as if online criminals have completed a full circle. Ten years ago, they tried to hack into the enterprise, but the industry responded with firewalls, event log monitoring and intrusion detection systems.

Seeing that network security is too difficult to breach, fraudsters turned into a much less protected target: the consumer. Phishing, Trojans and other attack vectors became a money making machine.

Now that online banking and eCommerce security is getting stronger, the fraudsters will have to turn elsewhere. Byron Acohido's recent article in USA Today demonstrates some of the precision attacks cyber criminals and industrial spies stage against corporate resources; but this is just the tip of a very large iceberg.

Thousands of additional breaches have already occurred, but the Trojan that already resides behind the firewall sits idly and attempts no further action. Think of the lycanthropy victim under regular circumstances: everything seems normal, and the curse is well hidden.

So why hasn't this hidden curse materialize yet? Why was there no full moon shining on the infected werelaptops, turning them into a corporate menace? 

That's because at the moment, all the Trojan operator is interested in is the employee as a consumer. 

But sooner or later, fraudsters will realize they are inside the firewall. They'll wake up and say: hey, how cool is that?

And although today monetizing access to corporate resources is a generally unknown practice in the consumer-focused eCrime world, fraudsters at large will figure it out. 

They always do.

* * *

Where did Jack just enter? Is it a large corporate that handles many business or consumer accounts? A financial services company? A high-security laboratory involved in classified research? A critical infrastructure provider? A government complex? A military compound?

Whichever the case, Jack is going to walk up to his desk, put the laptop in the docking station, provide the Windows access credentials and sit back in his chair, getting ready for another week of hard work.

The very laptop that was infected by Zeus a few hours ago.

The WereLaptop.