Welcome to the SecAware blog

I spy with my beady eye ...

14 Jan 2020

NBlog Jan 14 - a live case study

As we slave away on next month's security awareness module on malware, the Travelex ransomware incident rumbles on - a gift of a case study for us, our customers and for other security awareness pro's out there.

A quick glance at Travelex dotcom tells us that (as of this blogging) the incident is ongoing, unresolved, still a public embarrassment to Travelex that is presumably harming their business and their brand ... although having said that I've already mentioned their name three times in this piece. If you believe 'there's no such thing as bad publicity', then headline stories about the incident are all good, right?

Hmmm, leave that thought with me. Meanwhile, for the remainder of this piece, I'll call them "Tx" for short.

Technically speaking, the Tx dotcom website is up and running, serving a simple information page 'apologising for any inconvenience' [such as retail customers being unable to use the site to access Tx financial services in the normal fashion] and blaming 'a software virus': 

It refers to another Tx website which appears to be a legitimate Tx customer authentication page ... but, if it were me, given the incident I would be very dubious about submitting my credentials without first ascertaining that the site is legitimate, not simply part of the scam.

Anyway, the point is that they are at least on the Web, albeit a basic holding page, including their logo I notice. Without further information, we can only guess as to whether this page plus the associated webserver was hurriedly knocked together from scratch during the course of the incident, or was prepared in advance as part of a pre-planned incident response, perhaps customised a little and published when the evil ransomware struck. Likewise the separate login page.

Tx doctom is currently being served from an Amazon cloud, on an IP address shared by an eclectic collection of ~200 domains including:

Fair enough, there's no particular information security issue with cloud services and shared IPs, but it suggests that Tx's dedicated webservers and IP addresses are currently offline. In other words, the informational We've got a problem, Houston page is presumably being served from an alternative webserver ...

.... so what I'm doing now is building the case study, systematically piecing together whatever information I can glean or surmise about the incident, more importantly trying to figure out or plain guess what Tx may have done already and might now be doing in response to the incident. There are things to be pointed out, lessons to be learned here, lessons that hopefully don't involve the rest of us suffering an actual malware incident. For that, we should all be very grateful to Tx for "taking one for the team".

That's still only a small part of preparing February's awareness content, an illustration based on one specific incident. Generalising from the Tx incident is the bulk of our work this month. We'll be elaborating on the things that typically occur during and follow after a major malware incident, highlighting the things that can and may have been done ahead of time.

No comments:

Post a Comment