Phony Performance Warning Foiled

The Network:  Our customer is a well-known law firm with more than 350 lawyers practicing across the globe who counsel multinational corporations, privately held and family-owned businesses, individual and institutional investors, educational and research institutions, and other clients in a broad range of legal disciplines.

The Expectation: The primary user is not an IT professional and therefore must be kept safe against malware that is prevalent today. Endpoints are carefully maintained with patching and a brand name anti-virus program. However, end users may make poor decisions, and cyber attackers will exploit every possible vector, so monitoring is needed.  EventTracker SIEM enables the global law firm to protect sensitive client data from insider threats as well as external hackers.

The Catch: The EventTracker SOC (Security Operations Center) team observed an undesirable process executing on the customer’s workstation. It was permitted to do so by the brand name anti-virus software. The executable was digitally signed with a certificate from Symantec.

The Find: The undesirable program masquerades as Advanced PC Care and displays misleading information about the computer's performance. It then asks the end user to pay to fix the issues.

The Fix: The EventTracker SOC promptly alerted the administrator to uninstall this program and properly scan the target. The program was bundled with a malicious YouTube installer that the end user had not noticed.

The Lesson: User training is critical, but the best of us can succumb given the sheer volume of malware that we face every day. Administrations must trust but verify user actions. Your security analysts will be proactively notified by the EventTracker SOC only when high-risk incidents occur, so that appropriate action occurs as quickly to minimize dwell time.