It is no surprise the Internet can be used to propagate misleading news, but secondary cybersecurity risks can outweigh malicious misinformation campaigns. Case in point, Intel was recently targeted in an attack using false information on an official-looking press release. The hoax leveraged a web address similar to the official corporate site and even had someone to answer the phone number and try to convince callers of the legitimacy. With a touch of irony, the contact name was “Nick Veritas” (“Veritas” translates to truth in Latin). The story of the deception gained widespread visibility.
Overall, the attack was not technically complex. However, it is a novel example in how secondary risks can exceed what might appear to be the primary goal. A bit of subterfuge is at play, as I believe this is a brilliant twist on a waterhole attack!
Consider the aspects. This is a directed attack against a specific company. The message was crafted to be plausible and meaningful enough to gain sufficient visibility to be carried by major media outlets. It is obvious the misinformation ruse would not last long, given the ease to validate, but ultimately it does not really matter. What is important is the draw it has on employees of the target, wanting to visit the fake site. Owning the site, the attacker can easily embed malware into the page and cross reference visitor’s internet protocol (IP) address ranges to see which are the targeted employees. Using curiosity to have intended victims visit a known malicious site to infect their systems, is new.
I have to give credit, it is an innovative derivative of ‘waterhole’ attacks. That said, this method of compromise is easily countered if companies educate their employees in such matters and have them make good decisions when choosing what to click on the Internet, especially from work systems and networks. Rapid analysis of the site can determine the type of payloads being propagated, which will help with detection and cleaning of malware. Blocking the site at the network perimeter is also a good practice to reduce the potential number of victims. The best defense, as is true with most web based threats, is a well informed and security savvy workforce.
IT Peer Network: My Previous Posts
My Blog: Information Security Strategy