back to article Phishing email used in serious RSA attack surfaces

The theft of secret data related to RSA's SecurID tokens used by 40 million employees to access sensitive networks likely started with a 13-word email, evidence uncovered through a researcher's dogged sleuthing suggests. “I forward this file to you for review,” the unsigned email, sent to four employees of RSA's parent company …


This topic is closed for new posts.
  1. Destroy All Monsters Silver badge

    Oh well.

    I think even I have received that one.

    As the company is too small to have a recruitment plan at all, I wasn't fooled.

  2. Pink Duck

    Makes you wonder

    Whether Adobe are in it with the crooks.

  3. Diziet Sma

    you mean...

    nothing suspicious apart from excel crashing on launch? I'd report that immediately.

    1. MadonnaC

      constantly reporting

      I flip a coin to decide if excel is going to crash this time...

    2. Tom 13

      Well then you must live the blessed life of

      never having to open Excel files which have been emailed by clients.

  4. Anonymous Coward
    Big Brother

    "a small group of lower-level employees"

    Of course, it wouldn't have been a senior level executive who opened it. Who else reviews annual recruitment plans, obviously the lower level workers.

  5. garbo

    Job Description?

    You're employed at a computer security organisation, and you're not trained NOT TO OPEN ANY UNKNOWN emails? Fire the HR manager or whoever hired these folks.

    And they're using Windows?

  6. Anonymous Coward

    Phishing would not work without being helped by incompetence

    And RSA showed they really master it!

    If I get it correctly, remote control software being installed by the doctored Excel file means lower-level employees were having admin rights on their PCs, No really, why do they pay those security architects for ?

    SPF and public key crypto have been around for some time now and still an impressive string of very important companies were being penetrated like melting butter because they didn't bother to use them ?

  7. Christian Berger

    Flash and Excel on one system?

    I mean Flash is purely for entertainment, while Excel is for demotivation. There is no usecase which requires both to be on one system. So why didn't they just use virtual systems. It would have made the exploit way more complicated.

    1. Jonathan Richards 1

      Use Case

      Training delivery. Computer-based training applications may use Flash objects. Excel is on the low-level workers' PCs to enable them to build clunky hard-to-audit pseudo-databases, as every fule kno.

  8. Elmer Phud

    please click here for title

    " “I forward this file to you for review,” the unsigned email,"

    It was in the junk folder? unsigned? and they opened it?

    They still work for the company?

    1. Jean-Luc

      @Elmur Phud & Garbo

      Nice and cuddly guys you 2 are, wanting to fire the guilty. Makes me feel the warm fuzzies.

      Not to mention, incompetent yourself. If your cunning security scheme for the company is to hope that somehow, no employee will ever open bogus emails, you're idiots. Three times over.

      More to the point is the poster who questions why the PCs were unprotected enough that the malware had admin rights when running. Then how the malware remained undetected locally and the network subsequently detected no intrusions.

      Perhaps, as another poster stated, if these computers were sensitive, why where they running Windows? And, packing Flash, a known attack vector?

      Also to the point is why Excel is dumb enough to run Flash and why that kind of crap can't be easily filtered out of Excel's exec privileges. Look, I can't even open Excel without it warning me about my own macros. How much does one care about Excel macro warnings when it is dumb enough to repeatedly warn me about my own code?

      What is the use case for Excel spreadsheets having embedded Flash? I suspect it is the same use case as Outlook emails running scripts up until a few years ago - M$ finds it extends the user experience and damn the security.

      Solely blaming a silly end user for this epic fail should be the last thing a serious security person should do.

    2. Version 1.0 Silver badge

      Yes - they're still there

      Management always floats to the top, casualties always come from the lower ranks. You really think a manager is going to fall on his sword for this?

  9. Fat Freddie's Cat

    An APT?

    Is this really an Advanced Persistent Threat <>?

    If so, what's a Dumb Ongoing Relentless Knocking-at-the-door?

    1. Destroy All Monsters Silver badge


      A passage from "Herbert West, Reanimator"?

  10. pompurin

    Email as root

    Again it has to be asked, why does an e-mail client need root access to a machine? Or why does excel need root access? Why does flash need root access? There is your problem right there.

  11. Anonymous Coward

    It's always the ape, isn't it?

    Damn hominids, they are the weakest link.

  12. Adrian Coward

    "...Flash is executed by Excel..."

    Why, why, why does Excel need to execute Flash?

    1. Version 1.0 Silver badge


      You idiot, of course Excel needs Flash ... otherwise who would both to watch the presentations, or even both to open .xls files from the accountants. Management demand Flash be installed so that they can produce attractive Company Reports.

      Some people! They just have no idea how companies are really run! You probably think I went to the Harvard Business School for the degree ... Dude, really!

    2. Michael H


      ...thanks to the "helpful feature" that is Microsoft's COM, any ActiveX plugin can be inserted into office documents. Of course, Microsoft doesn't care about how flawed and insecure COM is, especially as a feature in Office documents. But why have security when you can have buzzwords and lock-in?

  13. Jared Vanderbilt

    Shame on EMC

    The bigger question is why is a computer with access to secure information being used to access the internet. We develop software. We have a desktop and laptop on every desk. Separate networks, MAC filtering. Desktops are secure, laptops are not. Signs all over the place. Little red stickers on every case, display, keyboard, and USB hub to mitigate any confusion. Anyone who transgresses gets fined or fired. It's in everyone's employment contract including mine. And yes, I have fired employees for exposing IP.

    When security is given the correct priority within an organization IP mysteriously becomes secure.

    1. cosymart


      More to the point, why does anyone who is not customer facing require internet access in the first place?

      1. Destroy All Monsters Silver badge


        Do you want an empty El Reg comment section?

    2. Anonymous Coward

      @Jared Vanderbilt

      So your network is totally secured?

      "When security is given the correct priority within an organization IP mysteriously becomes secure."

      You are 100% sure your network is totally secure? Then explain this:

      "And yes, I have fired employees for exposing IP."

      So it appears you live in a glass house and it has fallen more than once.

    3. SImon Hobson Bronze badge

      Eh ?

      >> MAC filtering

      Because MACs can't be faked, right ?

  14. Captain Scarlet

    Retrieve from Spam

    Hmm yes of course its not suspect!

  15. Anonymous Coward
    Anonymous Coward

    No matter how much you tell them

    Users are going to open email content they find intreaguing, that simple.

    No amount of training/nagging is going to change that, after all there isnt anything really at stake for the user who opens this file is there, it IT who have to clean up the shitstorm

  16. Kurgan


    RSA uses Windows (fail), does not have enough in-depth security (fail), has never trained staff about basic security (fail). Or worse, a top manager opened that email. A manager of the kind that WANT to have admin access to everything, and is so dull and gullible that he is the perfect target for every phishing scam in the world. Either way, this is an EXTRA SUPER DUPER FAIL.

  17. Frank Bitterlich

    Crafted well enough?


    "...crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached excel file" ???

    I wonder how much money these guys have lost to 409 scams and by ordering fake pills. After all, it seems that just about *any* spam is "crafted well enough" for these types.

    "Hi, I'm a signature virus. Please copy and paste me to your sig file."

    1. Anonymous Coward


      "Hi, I'm a signature virus. Please copy and paste me to your sig file."

  18. Mark 65


    ahh-ahh, saviour of the universe.

  19. Anonymous Coward

    Because it was an .MSG outlook file, VirusTotal failed to extract the exploit?

    What a shambles. They went to the trouble of finding the virus code and exploit, shared it with the anti-virus community, but since it was actually inside the email (which they could have opened and found the exploit code inside the Excel attachement), it went completly un-noticed?

    This is one of the biggest failings of the AV industry - still entirely reliant on signature based recognision of dodgy files, dependant on the assumption people are prepared to send them the malware in the first place.

    You can see why simple 0day exploit code and custom malware is both trivial to write, and trivial to avoid detection, with all the patching and AV in the world failing to protect you.

This topic is closed for new posts.

Other stories you might like