ZeusiLeaks Archives File 003: The Chairman's Assistant

In this ZeusiLeaks file I’ll talk about how fraudsters tap the communications of a company’s executive board - the holy grail of inside info.

Quick reminder:

WikiLeaks, the largest leak of data the world has seen? Nonsense! Trojans like Zeus and SpyEye lurk on millions of personal, corporate and government PCs, stealing data 24 by 7. Everything you do online – either private or work related – is sent to a mothership half across the globe. Welcome to the ZeusiLeaks Archives, and look here for previous files.

***

The Executive Board. Where the biggest, most secretive decisions are made: What bid shall we make on another company? Who shall replace the CEO after the latest management shake-down? How shall we respond to the merger offer from the largest competitor? And what are the company’s financial results soon to be publicly filed?

Imagine having full access to all of this. I hope you’ll agree this is the holy grail of inside information.

So what happens when fraudsters are already inside the PC that has full access to executive board communications? Oh, the horror! To quote from the movie Top Secret, some things are better left unsaid. I won't even try to describe the potential damage.

Meet the very real case of Mrs. S, who is executive assistant to Chairman and Chief Executive Officer of XYZ Corporation (name withheld). XYZ Corporation is a giant real estate company traded in the S&P 500 index.

XYZ uses a public cloud data sharing platform for managing board communications. Lets understand what this is: it’s basically a website that you log into, and allows you to securely share data with all of the board members. You can send memos, you can share documents like an excel file with the coming quarterly financial results, or a PDF file with the bid the company is making on a competitor. It’s something that is supposed to be as bulletproof as the company’s internal network, because you don’t want anything to leak.

Who do you think logs into the executive board platform? Is it the Chairman himself?

Naaaa… It’s Mrs. S, the executive assistant, who dutifully logs into the executive board platform to upload files.

Like financial records. According to the XYZ Corporation website, the chairman is going to address the shareholders next week to talk about the 2010 results. That’s the kind of document that Mrs. S is going to upload to the data sharing platform.

She uses the chairman’s login credentials, which are the chairman’s corporate email and the chairman’s password. By the way, have a look at the captured information below and look at the password: it’s an 8 digit password that starts with ‘Go’, is followed by the name of a football team, and ends with ‘1’.

Not exactly state of the art security.

Trouble is, and if you’ve been following ZeusiLeaks it’s obvious by now, that someone is recording everything Mrs. S is doing online… The operator of a Zeus Trojan.

The access credentials and anything posted into the secure online board platform are recorded. Then anything from Mahi Mahi recipes to the corporate intelligence report on the key competitor (requested by the VP of Business Development). All corporate data captured by the Trojan now resides in the Dark Cloud; or in this particular case, in a Chicago server controlled by the fraudster.

As usual the point isn’t the security of the website, which is why I’m not going to mention it by name. The point is the compromise of Mrs. S’s computer, and the potential damage that could happen if the data that is already in the wrong hands - that of Cyber crooks - will pass into even more sinister hands.

***

Mrs. S isn’t alone. Meet also Mrs. J, who is executive assistant of the board of an even larger company – one of the big 5 global consulting firms. She logs into internal portals, writes emails on behalf of board members, and has full visibility into the inside works of the organization. Just imagine what kind of treasure trove this is to the resourceful fraudster. Or… if you plan an Advanced Persistent Threat, what a great starting point to have. You can strike from within the heart of the corporation.

***

RSA Conference 2011 is coming next week in San Francisco, and I plan on showing some of the fresh files from the ZeusiLeaks Archives in a special event called Pecha Kucha Happy Hour that features presentations with 20 slides and 20 seconds per slide. I guess that’s enough time to show how our data – as consumers and as corporate employees – leaks freely to the wrong hands. I’m also going to talk in the Hackers & Threats track on Advanced Persistent Threats, and why the industry is developing a new defence doctrine to fight them; you can listen to a pre-conference podcast recording here.