Over the past year and a half, Mandiant has found several instances where determined attackers managed to break into computers or networks that required both smart cards and passwords for authentication. Mandiant calls this technique a “smart card proxy” and will be releasing a report on its findings today.
The attacks take place in several steps, over time. First, the criminals send a specially crafted e-mail message to someone at the network they’re trying to break into. The message will provide a provocative subject and include a malicious attachment or link to a malicious site/file.. When opened, this installs an application that gives the attacker a foothold on the network.
Once installed, the malicious file acquires information about the computer and its neighbours regarding authentication mechanisms in use. After identifying the computers that have card readers, keystroke logging software steals the password typically used in conjunction with the smart card.
Then, they wait…
When the victim next inserts the smart card into the hacked PC, the criminals try to establish a connection with the server or network that requires the smart card for authentication, since this is likely to be where the prized data is stored. When the server asks for a digital token from the smart card, they simply pass the request to the hacked system, and return the token and the previously stolen password.
This is not an entirely new concept, but it is a new twist. It is very similar to the Man-In-The-Browser attacks being used by Zeus and other banking Trojans.
See the CIO article for more information.