RSA Reveals Details of Phishing Attack


One of the biggest security news stories of the past few weeks was the security breach at RSA, where a still unidentified attacker managed to gain access to email accounts, corporate data, and other information at security firm RSA, which is a division of EMC Corporation. This was especially troubling news, since the RSA SecurID token (pictured below) is used by thousands of companies across the globe to provide secure two-factor authentication services.


Just how the attacker managed to get inside RSA's security system was revealed in a blog post by RSA's Uri Rivner. The method the attacker used to gain access was a comparatively simple one: a series of targeted emails were send to select RSA employees, and the file attachment -- in this case a Microsoft Excel spreadsheet -- was used to deliver malicious code that exploited a security flaw in Adobe Flash to install some software allowing the attacker remote access to systems within RSA.

Here are some additional details from Rivner's post:

The attacker in this case sent two different phishing emails over a two-day period. The two emails were sent to two small groups of employees; you wouldn’t consider these users particularly high profile or high value targets. The email subject line read “2011 Recruitment Plan.”

The email was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached excel file. It was a spreadsheet titled “2011 Recruitment plan.xls. The spreadsheet contained a zero-day exploit that installs a backdoor through an Adobe Flash vulnerability (CVE-2011-0609).

As a side note, by now Adobe has released a patch for the zero-day, so it can no longer be used to inject malware onto patched machines.

It's currently unclear if the attacker was able to gain access to the code generation algorithm used in SecurID tokens, and both RSA and EMC have been silent on the issue. Given that lack of information IT administrators may want to assume that the logic behind the generation of SecureID codes has been compromised.

I’m currently working on an article that provides some tips, advice, and best practices to help protect you (and your organization) against phishing attacks. Once that article is finished I’ll link to it from here.

Do you currently use RSA SecurID tokens to provide security in your organization? Let me know what you think about the RSA breach news by commenting on this blog post or following me on Twitter.

Follow Jeff James on Twitter at @jeffjames3

Follow Windows IT Pro on Twitter at @windowsitpro

Related Content:

Discuss this Blog Entry 1

on Jun 2, 2011
If you're using RSA's SecurID technology, take (Lock)heed.

I have just read a blog entry titled "InsecureID: No more secrets?" at

So, now we know: The RSA attackers stole the algorithms, the keys and the seeds, but not the association of that data with individuals.

So, things are not as bad as they could have been, but they are almost as bad. The stolen data alone cannot be used to compromise security, but they can be used effectively in a staged operation. Case in point: the recent Lockheed-Martin breach.

The day the RSA systems got hacked, infrastructures that based their security on RSA's two factor authentication suffered a cruel blow. Not an irrecoverable one, but a cruel one nonetheless. Lockheed-Martin should know. So should the rest of us.

Please or Register to post comments.

What's Security Blog?

Security news, views, product reviews, and solutions for Microsoft Windows IT professionals.

Blog Archive

Sponsored Introduction Continue on to (or wait seconds) ×