Technologist - The FindLaw Legal Technology Blog

Certified Ethical Hacker Program Accidentally Spreads Malware

It's like rain on your wedding day. It's a free ride when you've already paid. It's the "certified ethical hacker" program that spread dangerous encryption malware to users, despite warnings from outside sources.

Who would've thought. It figures.

Isn't It Ironic

Alright, that's enough Alanis Morissette, for now. (And yes, we know. Rain on your wedding day is just a bummer, not an example of irony.)

Let's get into the cruel irony of the EC-Council's recent malware disaster. EC-Council is, according to Arstechnica, a "major security certification group" that offers training, a Masters of Security Science Degree, and certifications in ethical hacking.

Their slogan: "Hackers Are Here. Where Are You?"

And indeed, hackers were there, though perhaps not in the way EC-Council intended. According to Arstechnica, EC-Council's website was recently attacked by hackers, who used it to spread TeslaCrypt malware. TeslaCrypt locks users out of their video games (really) but also encrypts all of a computer's Word, PDF, and JPEG files. Victims are told to pay $622 in Bitcoins in order to have their files unlocked.

Not Just a Flaw, a Failure to Respond

A cybersecurity company that is itself insecure to cyber attacks is bad enough, but the malware might not be the worst part of EC-Council's story. The actually ethical hackers at Fox IT (certification status unknown) spotted the malware infection on Monday and immediately contacted EC-Council. Days passed, nothing changed, and Fox IT never heard back, so they publicized the security risk themselves.

On Thursday, Fox IT posted a blog warning about EC-Council and explaining the (particularly complicated) way the TeslaCyrpt hack worked. According to Fox IT, EC-Council users would be redirected to the TeslaCrypt download only in very specific circumstances:

  • "The visitor has to have Microsoft Internet Explorer as a browser (or at least the user-agent has to represent Internet Explorer)
  • "The visitor comes from a search engine like Google or Bing
  • "The visitor's IP address is not blacklisted or belonging to a blocked geolocation. The inject avoids certain countries (possibly tied to a bad 'ROI' for the criminals running the ransomware that is being dropped)"

That makes it likely that not too many future certified ethical hackers were infected, but those conditions also make the exploit very difficult to detect.

As of Friday, there's no news on whether EC-Council had fixed the problem or not. In the meantime, the controversy is a worthwhile reminder that not even the cybersecurity experts are 100 percent secure against malware. Isn't it ironic. Don't you think?

Related Resources: