A variant of malware called Sykipot is circulating that purportedly enables it to hijack U.S. Defense Department Common Access Cards and Windows smart cards, according to Alien Vault Labs. This variant, which appears to have been put together in March 2011, has been seen in dozens of attack samples from the past year.
The attackers use a spear phishing campaign to get their targets to open a PDF attachment which then deposits the Sykipot malware onto their machine. Then, unlike previous strains, the malware uses a keylogger to steal PINs for the cards.
When a card is inserted into the reader, the malware then acts as the authenticated user and can access sensitive information as long as the card remains in the card reader.
While trojans that have targeted smart cards are not new, there is obvious significance to the targeting of a particular smart card system in wide deployment by the Defense Department and other government agencies, particularly given the nature of the information the attackers seem to be targeting.
ActivIdentity provides smart card middleware and readers to the Defense Department. The company is looking at the threat and evaluating, according to a spokesperson.
“Our initial assessment is that this potential vulnerability is completely unrelated to ActivIdentity ActivClient software. Nevertheless, it is possible that unauthorized persons may eventually be able to access company IT networks should personal computers become compromised with malware. We therefore urge our customers to deploy ActivIdentity solutions and adhere to best practice security policies and procedures,” the spokesperson says.