Stealing someone’s identify is one of the best known techniques for hackers to access confidential information in a corporate environment. But how does it work? Why is it difficult to detect such intrusion attempts? What can be done to safeguard your corporate network from unwelcome visitors?

It is well known that the internet is not the safest of media as intrusions into foreign networks have become very easy and too convenient for hackers. Nowadays a large number of bots (developed and implemented by hackers) scan networks, and insert and infect fully automated malicious code into foreign remote machines.

Putting additional safety measurements in place is therefore an important requirement to minimize the risk of possible identity theft in a corporate environment. Identity theft often leads to data theft under the victim’s name which can lead to serious repercussions should the case end up in court where a judge has to decide whether the offence was committed by the victim himself or by a professional hacker who just misused the identity of the poor victim.

Recent statistics about economic crime in online media show a strong increase of registered intrusion activities in corporate environments which is now taken very seriously by both governments and major corporate organizations as well as individuals.

So how does a common intrusion happen in corporate environments?

The scenario is very simple. A hacker tries to insert a malformed common file into a trusted well visited website. Let’s say he has created an image file that has been malformed with the purpose to exploit a severe vulnerability of a specific web browser.

In this example the malformed image file will display the logo of the trusted website. Now the hacker tries to replace this original image logo of the target trusted website with his own malformed image. As both image files look the same, the replacement of the image file will not be noticed immediately.

Whenever a visitor opens the trusted website with his specific web browser, the web browser (of the visitor’s client remote machine) will automatically download the webpage including the infected image on his hard disk.

The web browser will process the website including the malformed image logo. By opening this malformed image logo an exploitation of a severe vulnerability of the client’s web browser will take place.

What has happened?

In many cases the web browser will crash immediately and the visitor will be notified with an error message that an unexpected error has occurred. This is a common sign which may indicate that a malformed file has been processed and caused an exception on the web browser level.

However the visitor may not understand why the web browser has crashed and what effects the crash could have for him and for his system. Usually a web browser crash means that the malicious code can now run outside his web browser. So any safety measurement of the web browser will fail, because the crash of the web browser has terminated the existence of the web browser and its own safety measurement.

Any malicious code can run freely outside the sandbox meaning that the malicious code will run with full access rights of the user account (of the visitor). For any system administrator it will look like the malicious code has been run by the victim himself, although in reality the actions were the result of an infected file placed by a hacker (who is sitting somewhere outside the corporate network). As the hacker can implement any type of malicious code he has a free reign to open any doors for data theft on the target machine.

In the next instalment of this blog series we’ll look further into intruder detection and the ways it can happen.