RSA Token Users Under Attack

Wednesday, July 27, 2011 @ 01:07 PM gHale


RSA’s SecurID token users are under attack once again with fake emails coming from the U.S. National Security Agency urging them to update their token code.

The address from which the emails comes from is a spoof reads: “protection@nsa.security.gov,” but the malicious links take the victim to the national-security-agency.com domain, which according to Cyveillance, registered the day before the spam run started.

RELATED STORIES
Lockheed Under Attack
RSA will Replace SecureIDs
More Details on RSA Hack
RSA Hit by Cyber Attack

“A critical vulnerability has been discovered in a certain types of our token devices,” warns the email, counting on the fact the user is already aware of the RSA hack executed earlier this year and its implications for the security of the company’s SecurID tokens.

The authors of the email also appropriated NSA and CSS logo in order to give an appearance of legitimacy to the warning. Fortunately, they didn’t pay a lot of attention to the construction of the text itself and there are spelling mistakes that an aware user can spot.

This spoofed NSA page can link readers to a malicious site.

This spoofed NSA page can link readers to a malicious site.


In March RSA was the victim of a hacking attack on its SecureID tokens. The widely used electronic keys work using a two-pronged approach to confirming the identity of the person trying to access a computer system.

They should stop hackers who might use key-logging viruses to capture passwords by constantly generating new passwords to enter the system.

The SecurID generates new strings of digits on a minute-by-minute basis the user must enter along with a secret PIN before they can access the network.

If the user fails to enter the string before it expires, then it will deny access.

The hack occurred when an unpatched vulnerability in Adobe Flash Player helped lead to the RSA Security exploit.

Attackers gained access to the RSA network by sending two small groups of RSA employees emails with attached Excel spreadsheets, according to RSA officials. One of those employees opened the attachment, entitled “2011 Recruitment plan.xls.”

The spreadsheet contained an embedded Flash file that exploited a zero-day vulnerability that Adobe did not know about at the time and allowed hackers to take over an employee’s computer.

From there, the attackers installed a customized variant of the Poison Ivy remote administration tool (RAT) on the compromised computer. Using the RAT, hackers harvested users’ credentials to access other machines within the RSA network, searched for and copied sensitive information, and then transferred the data to external servers they controlled.



Leave a Reply

You must be logged in to post a comment.