Showing 30 results for: Incident Response ×

PoSeidon Adventures in Memory

Background As an Incident Responder I get the unique opportunity to see a lot of malware and in most cases that I investigate, the malware is of the card number stealing type. To be more specific, I deal with a...

Digging in the Spam Folder

Introduction Unlike spam that appears in my real-world mailbox, the numerous unwanted parcels that arrive continuously in my Gmail spam folder are a gold mine. Not because I'm being offered $1.5 million USD to help with a foreign currency deposit,...

Mom Spies a Hack

Have you ever wondered if all that informal training you do with your friends & family is paying off? When you say things like "use trusted sites" or "don't give your password to anyone" you wonder if they'll remember those...

Indicators of Compromise: A Discussion with Karl Sigler

Head over to the Trustwave blog for a video discussion about indicators of compromise with Karl Sigler, host of SpiderLabs Radio and Trustwave SpiderLabs Threat Intelligence Manager. Topics include why initial detection of a breach is so hard for businesses,...

ColdFusion Admin Compromise Analysis (CVE-2010-2861)

In a previous blog post, I provided "Method of Entry" analysis for a ColdFusion compromise baed on sanitized data from a SpiderLabs IR/Forensics team investigation which resulted in the attacker's installing a malicious IIS module that captured customer credit card...

Wait a minute... that’s not a real JPG!

When attackers compromise a website and want to harvest credit cards, they need to either find where the data is stored or capture the data in transit. This blog post shows how identifying files with false file signatures can uncover...

10,000 Litecoins Worth $230,000 USD Were Stolen!

Newspapers, commentators and bloggers have lately been asking whether digital currencies, such as Bitcoin, are "the new gold". Digital currencies are valuable and so attackers take interest in them just like they do payment card numbers. Just today, we witnessed...

Malicious shells; Established != Active

During a recent investigation, SpiderLabs was presented with evidence that appeared to be contradictory. Evidence from firewall logs and remediation actions taken by the client did not tally with the evidence collected from the compromised system. This blog post discusses...

Card Data Siphon with Google Analytics

The introduction of EMV (Chip & Pin) payment devices in 2003 resulted in a rapid decline in physical credit card cloning in Europe. EMV technology has also led to an increase in attacks on e-commerce systems targeting cardholder data. Each...

Hiding Webshell Backdoor Code in Image Files

Looks Can Be Deceiving Do any of these pictures look suspicious? First appearances may be deceiving... Web attackers have have been using a method of stashing pieces of their PHP backdoor exploit code within the meta-data headers of these image...

5 ways to protect your E-Commerce site

The Trustwave Spiderlabs team frequently responds to E-commerce data breaches. The number of website breaches that we are working continues to rise. There are a handful of reasons for this rise. We are approaching saturation in the "brick and mortar"...

Basic Packers: Easy As Pie

Throughout Trustwave SpiderLabs' many forensic investigations, we often stumble upon malicious samples that have been 'packed'. This technique/concept can be unfamiliar to the aspiring malware reverser or digital forensic investigator, so I thought it would be fun to use this...

Choppy Regulatory Waters ahead for EU SMEs?

There's been a reasonable amount of coverage of the (proposed) data protection legal framework changes for the European Union, which the European Commission summarizes [1] as: The legal framework consists of two legislative proposals: A proposal for a Regulation of...

Guidance for firms using the NetAccess N-1000

SpiderLabs' Incident Response team has recently seen credit card fraud involving the suspected compromise of a 'drop in' transaction processing devices in the Asia Pacific region. Specifically, we have seen issues with the NetAccess N-1000 Transaction Concentrator, payment processing middleware...

Analysing X-Cart Compromises

Recently I've found myself performing a lot of forensic examinations of X-Cart shopping carts. This isn't surprising: X-Cart is a very widely adopted and relatively low cost shopping cart platform. Its popularity makes it an attractive target for attackers because...

The Patsy Proxy: Getting others to do your dirty work

Patsy (slang) - A person easily taken advantage of, cheated, blamed, or ridiculed. My girlfriend (@savagejen) and I will be presenting at Derbycon this year about some research we've done into systems not configured as proxies, but which will pass...

How much data? Apache, Ubuntu and the Lies of the Logs.

Forensic investigators rely heavily on log file data in order to analyse attacks and draw conclusions regarding attacker actions. However, this blog post shows that we don't just have to worry about attackers trying to cover their tracks by destroying logs; Linux distributions themselves mess about with log file formats in a misleading manner and further thwart investigations.

Five E-Commerce Security Myths (Part 1)

Compromises of e-commerce websites are increasingly common. In our 2012 Global Security Report we reported that 20% of our incident response investigations related to e-commerce sites. This was up from 9% the year before. In my part of the world...