Criminals using Web apps to hide attacks

In a presentation at Black Hat, Chuck Willis and Rohyt Belani recounted recent case studies where criminal hackers had used Web applications to break into companies. The researchers' talk focused on incident response and forensic techniques that helped reveal the backstory of the attacks. They cited two case studies.

One study involved an online stock trade company where roughly 1,000 customers had mysteriously purchased shares of a penny stock none of them had never heard of before. In most cases, the stock purchase went unreported (the stock had gained in value, so the customers affected had all benefited). But a handful did complain, so digital forensic examiners were brought in. By analyzing the servers and finding all the logs that corresponded to the date, time, and stock purchases, the investigators found that all the purchases had been made with the same session ID. The stock trade company made the mistake of issuing a session ID before authenticating the user, so the attacker was able to send, via phishing attack, one session ID so that when the victim logged into his account, it triggered an automated script that bought the shares for other customers as well.

In a second case study, the CEO of a retail giant received an extortion note via U.S. mail. In the note was a snippet of database including customer credit card information; the extortionist was demanding money or he'd go public with the 125,000 credit card numbers he had. Here the investigators had only 72 hours, but ultimately they found that a software developer had put in a backdoor on the credit card database. The software had been outsourced from Asia, and by searching the Web logs for that particular database call, they found one request that resolved to an address also in Asia. According to Willis and Belani, law enforcement in that country was able to arrest the individual, and do so with a few hours to spare.