Has The Sun Set On LizaMoon?

Friday, April 08, 2011

Alexander Rothacker


Article by Josh Shaul , CTO, Application Security, Inc.

Today, Application Security, Inc. hosted a webinar to answer and clarify what the LizaMoon and Epsilon data breaches really mean to organizations and how to safeguard critical data from future threats. (*Note: To view the archived webinar, click here.)

These breaches have garnered widespread media attention – with the most recent Epsilon data breach taking the lion share of the attention.

Initially LizaMoon showed to be quite significant with a reported 1.5 million websites affected, according to Websense.

While this was later significantly downplayed in the media, the hysteria fizzled out and everyone continued to focus attention on Epsilon.

After all, that breach hit well-known household brands – and most people received at least one notification – if not several.

While we agree Epsilon was a significant breach – we are finding more data and having conversations with folks that have actually been hit by LizaMoon – which is proving to potentially be more significant than realized.

Immediately after the webinar, my phone rang and it was a CISO telling me that his organization had been hit by LizaMoon.

This CISO continued to tell me that his organization determined it was hit by LizaMoon on Friday.

This CISO took snapshots and conducted analysis to confirm this attack. By Sunday, the attackers had come back and cleaned up all traces of the original attack.

On Monday morning, when the CISO’s Webmaster came in and looked at his logs, he assumed this attack must have been a false positive, as there was no evidence of foul play.

So, this got me to thinking:

  • If an organization didn’t catch the attack by Friday – and the hackers came back and covered their tracks – they might not know of the breach.
  • What if the attackers set up backdoors to come back another time? Now that they have been inside the network and know exactly where to look for the organization’s critical data – who is to say they won’t be back?
  • Could this be the beginning of a much larger scale attack to be carried out in the future?

The information that this CISO confided in me begs the question as to whether LizaMoon is actually the more significant and dangerous of the two reported breaches.

What are your thoughts?

Possibly Related Articles:
Information Security
Chief Information Officer hackers breach backdoor LizaMoon Epsilon
Post Rating I Like this!
J. Oquendo Sadly... 1) if people were paying attention to the logs 2) the logs were being written elsewhere (syslog to another machine or Snare for the Windows user) this instance would have been caught.

Now, as to the following question: "whether LizaMoon is actually the more significant and dangerous of the two reported breaches" I believe it is more dangerous however, "it's not all that now" they should have programmed it to mop up after itself. ;)
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.