Blog article
See all stories »

Snooping on Employees?

Two years ago I wrote about Curse of the Were-Laptop, which highlighted the fact PCs are used for both personal use and work; your employees can get themselves infected outside the corporate firewall, and then just but bring the problem into the office.

The good news, I said, is that it would take a while for the fraudsters to realize they’re sitting on a pot of corporate data gold. Here’s a part of that post:

So why hasn't this hidden curse materialize yet? Why was there no full moon shining on the infected werelaptops, turning them into a corporate menace?  That's because at the moment, all the Trojan operator is interested in is the employee as a consumer. But sooner or later, fraudsters will realize they are inside the firewall. They'll wake up and say: hey, how cool is that? And although today monetizing access to corporate resources is a generally unknown practice in the consumer-focused eCrime world, fraudsters at large will figure it out. They always do.

Two years have passed, and the threat has become much worse. Nowadays it’s not just laptops that have werewolf attributes; consumerization and employee demand to use their own PCs or smartphones have increased the consumer/employee attack surface.

And the other thing that happened was the massive proliferation of Zeus, the most popular Trojan kit. Zeus infected millions of PCs, many of them belonging to employees. Huge amount of corporate data started flowing to Zeus drop sites: corporate access credentials, sensitive emails and memos, customer data, pricing information, financial records… The list is endless.

Earlier this year RSA published a research that showed 88% of Fortune 500 companies have employees infected with the Zeus Trojan – and don’t know about it.

And yet when you look at what Trojan operators are still interested at, it’s going to be purely online banking passwords and credit cards.

Or is it?

Well, according to a Computerworld report, Gary Warner – researcher in the University of Alabama – found that certain Zeus Trojan operators have configured Zeus to ask the victim for the name of their employer. "Your computer may be worth exploring more deeply because it may provide a gateway to the organization”, Warner is quoted.

We should caution and say there might be another explanation: perhaps the Trojan operators collect the data for other nefarious reasons. For instance, bank fraud departments sometimes ask a caller who they works for: this information is known to the genuine user and also to the  bank (as they process the salary payments), but is unknown to fraudsters.

But chances are this is the genuine article: a real effort by Cybercriminals to classify compromised computers. And if that’s the case, this could be a game changer: the missing link between people who want access to a certain corporation, and people who can provide this access because they’re already inside.

Previously there was scarcely a way for Trojan operators to offer compromised employee resources on a silver platter to whomever is interested. Trojans such as Zeus, SpyEye, Sinowal and Qukbot have huge ‘garbage piles’ of data no is interested in, and no one bothers searching through.

But now, armed with the employer name, Cybercriminals can start trading in hijacked computers belonging to a specific corporate, or offer information stolen from specific companies.

And as the recent high-profile Advanced Persistent Threats demonstrated, many entities wish to penetrate corporations; so this endless supply of corporate breaches is bound to meet high demand.

A new marketplace can now evolve.


Comments: (0)

Uri Rivner

Uri Rivner

Chief Cyber Officer


Member since

14 Apr 2008


Tel Aviv

Blog posts




This post is from a series of posts in the group:

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.

See all