Trusteer discovered that the internal network of an unidentified US airport has been compromised.

The airport uses a common remote access method -VPN – to allow remote access to its network.  In the current case, the attackers used screen capture software to steal user login in data.  Computerworld reported the details of how the login credentials were stolen:

[T]he attack involved an innovative mixture of standard VPN login grabbing using the Citadel Trojan followed by screen scraping to discover the one-time password (OTP) presented by the gateway authentication system.

The OTP presented was in the form of an on-screen CAPTCHA using 10 digits embedded in an image, hence the need to grab it as a bitmap rather than by intercepting keyboard presses.

Using the stolen login credentials, the attackers have the same network privileges as the person whose credentials were stolen.  With the employee’s credentials in hand, the hackers would have unlimited access to the airport computer system’s software to the extent the worker’s account would allow. George Tubin, a senior security strategist for Trusteer, quoted in  Bloomberg Businessweek, said,

This was potentially very dangerous, but we don’t know whether the attacker group was targeting the financial system of the airport for economic gain or if the attack was terrorism-related. They could have been trying to access critical infrastructure—possibly air-traffic control systems and even the air-conditioning ducts on planes. Or they might have been looking at the hiring process, to see if they could get someone in there to work as an employee.

In order to steal the login data, the attacker first needed to install the malware on the victim’s computer.  How was this done?  Although it is unclear how the victims were initially infected, Oren Kedem of Trusteer speculated in eWeek that it could be through spear-phishing attacks or drive-by downloads.

Spearphishers deceive by masquerading as trusted senders.  SP  Guard from Iconix provides the ability to distinguish real email from spearphishing attacks.  Click here to learn more.  You can contact us at 408-727-6342, ext 3 or use our online form.