Samsung Galaxy S4
After unboxing a Samsung Galaxy S4, they left all security settings in the default state, plugged in a SIM card from a Russian cellular service provider, visited a Russian coffee shop, connected to open Wi-Fi and surfed to a Sochi-Olympic-themed site. The NBC video report claimed malicious software hijacked Engel's phone before the coffee arrived, making it appear as if malicious magical fairies installed malware on the phone. But Wilhoit gave tech details edited out of the video.
First there was a redirect from the Sochi-themed site, which "prompted a download that seemed to have relevant travel information." The user interaction came when Engel's clicked "accept" to install the downloaded malware. The white paper explained that the "malicious app appears to be part of the SMSSEND malware family, which has infected more than 200,000 Android phones to date." The malware allows "an attacker to read the emails on it, gain access to external media connected to it, collect contact data stored in it, record calls made on it, and perform several other tasks."
Windows 7 was installed on the brand new Lenovo ThinkPad "because it is the most used Microsoft OS worldwide. This is what a standard user would likely do. We kept all of the default security settings as well." Additionally, Microsoft Office 2007 was installed "because of its perceived user base." About 30 hours later, Engel received a spear-phishing email. Wilhoit believes Engel's "email address appears to have been obtained from the compromised Samsung Galaxy S4 smartphone." Again the device was only compromised after user interaction, after clicking on the embedded link in the email and downloading "a Microsoft Word document named Olympics.doc."
Within a minute of opening the document, a "piece of malware opened a back door" and "allowed the attacker to gain access to the infected machine. He can even perform several malicious tasks such as stealing banking information or exfiltrating important documents." Wilhoit wrote, "It appears to exploit the common CVE-2012-0158 vulnerability, which works against unpatched versions of Microsoft Office 2003, 2007, and 2010. Had the document been opened in Microsoft Office 2010, depending on its patch level, the attack would have likely succeeded as well."
The attackers didn't have evil pixie dust to magically infect the ThinkPad. Exploiting the remote code execution vulnerability, CVE-2012-0158, requires users to take action and click a link such as in email, instant messenger or social media. Microsoft issued a critical patch back in April 2012 to fix the flaw. It's January 2014, so surely "regular" users would have patched that hole in Windows by now...unless Windows 7 was pirated and couldn't be patched, but that surely doesn't describe NBC News' version of a "regular" and pretty technically stupid user.
Sign up for CIO Asia eNewsletters.