Security experts have warned that cyber-criminals are now using online video sharing services to sneak sensitive data out of targeted organizations.
These sites are a perfect medium for attackers because they're widely used by employees and companies, and video files tend to be large so uploading significant volumes of data wouldn’t attract attention, Skyhigh Networks CTO Kaushik Narayan said.
The vendor spotted a recent incident where attackers stole sensitive corporate information which they then split into compressed files of identical sizes, “similar to how the RAR archive format transforms a single large archive into several smaller segments.”
“They encrypt this data and wrap each compressed file with a video file. In doing so, they make the original data unreadable and further obscure it by hiding it inside a file format that typically has large file sizes,” he added.
“This technique is sophisticated; the video files containing stolen data will play normally.”
Once uploaded, the cyber-criminals can then download the videos and reverse the process, unpacking and reassembling the pieces of data.
While traditional intrusion prevention tools would not spot this kind of data smuggling, a big data analysis of network activity can, Narayan said.
Skyhigh was able to detect anomalous behavior because the file uploads came from the same user in a short time frame with all video files of an identical size.
“Importantly, the detection relied on analysis of normal usage activity rather than detecting malware signatures that don’t exist before the attack has been catalogued,” Narayan explained. “Skyhigh’s approach requires no knowledge of the attack before it’s detected.”
Skyhigh told Infosecurity it had spotted this kind of attack a dozen or so times thus far, but declined to name the online video service providers involved.
This isn’t the first time the vendor has spotted an original approach to sneaking stolen data out of a company.
In March it revealed how a single IP address at a company was exfiltrating data via Twitter 140 characters at a time – amounting to over 100,000 tweets per day.
In another case, an infected corporate machine was trying to connect to GoToMyPC 11 million times in the space of a week. It turned out the attackers were intending to use GoToMyPC as command and control infrastructure.