Malware Scanners as a Repository for Valuable Business Info

Threat intelligence manager Markus Neis brought awareness to a group of panelists at the Kaspersky Lab Security Analyst Summit regarding the capability for cyber criminals to utilize services such as VirusTotal to capture and retrieve uploaded sensitive documents.

According to Neis, he produced such findings when he utilized an uploaded word document embedded with a Canarytoken; a rigged embedded identifier that upon access, sends a response email to the user alerting to the presence of someone having access to the account in question. Neis found that within two days, his document was later distributed and downloaded in the US, Germany, Russia and Poland only two days later. Neis suggests this is further a problem for businesses that  work with outsourcers and other 3rd party contractors as once the data is in their hand total control of the data is lost with the capability for these parties to decrypt, scan, and thus leave an imprint of items such as PGP keys, VPN credentials and SSH private keys.

The implications of said point of access is thus huge; especially if considering corporate or nation-state espionage. Neis has already found  data belonging to luxury car makers, internet service providers, and has met with little response by proper authorities as to  the disclosure of said information being out there. Thus there must be an incentive and need to establish strong internal security procedures between employees, managers, and their IT security team towards the implementation of a secure “turning in” of confidential data and how better to handle, delete, and submit what could soon be commonly  targeted information.

Recommended Links:

Further Information on how Neiss Conducted his work.

Recent changes on VirusTotal regarding secure procedure


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s