Researchers have recently discovered the plausibility of hacking a computer chip for unauthorized users to have backdoor access to a system. Microprocessors now join the list of devices that can be hacked, following printers, digital photo frames, pacemakers, and even cars.

In a report by PC World, a microprocessor was hacked by altering a number of circuits on the chip. The modification results to an injection into the microchip’s memory of a malicious firmware. This enables a hacker to log into the system as a legitimate user. This attack, when successfully done, is virtually untraceable to the affected user.

Researchers who discovered this approach described possible scenarios of attack such as the code being added into the chips during development, or the modified chips being installed during computer assembly. This is highly probable as what the trends have shown: the security of new hardware is no longer a certainty with off-the-shelf malware from newly acquired devices such as USB keys, MP3 players, and even the celebrated iPod.

With the required resources to complete such an attack, this microprocessor hacking method might not end up to be every hacker’s weapon of choice. But I reckon that given the resources and under the right circumstances, it will be someone’s choice — then it would be like a robber getting his own set of keys to a house even before the real owner moves in.

A digital certificate is an electronic “credit card” that establishes your credentials when doing business or other transactions on the Web. This certificate is being used by many banks for secure online banking.

Unfortunately, hackers and phishers have easily adapted to this security technique.

A recent phishing attack using digital certificates was seen in the Bank of America case. In order to access the Bank of America Direct login page, the client must have a valid digital certificate installed on their personal computer. The URLs, in rockphish form, lead the user to a page asking them to create a certificate or to download the digital certificate. In Internet Explorer, it asks the user to run a Microsoft ActiveX control called “Microsoft Certificate Enrollment Code.”

After running the add-on and upon filling up the required information, it asks the user to download an .EXE file, sophialite.exe.

This is quite clever. From the explicit display of login or confirmation page that is easily verified as phishing, they have turned to the creation of digital certificates, a ploy that can actually convince users to take the bait. Another thing, these URLs are in rockphish form; as of now we already have 93 different domains using this technique. All are blocked by WCS (Trend’s Web Classification System for blocking malicious domains and URLs).

In this recently reported targeted attack on CEOs of various companies (also known as “whale phishing,” due to the size and stature of the affluent targets), a bogus subpoena request attempts to trick recipients into clicking a link in the spammed email messages. The link purports to give users access to the related court documents in a bogus subpoena action.

If victims do click on the malicious link in the email, they will arrive at the Web site pretending to house the information (shown above), then prompted to download and install a browser plug-in to proceed in viewing the files.

The malicious “browser plug-in” (named Acrobat.exe in this instance) is actually TROJ_AGENT.AMAL.

The attack seems to work due to various social engineering techniques, each of which is not necessarily new.

The United States District Court has posted an advisory regarding these bogus subpoena requests, and so has the Internet Crime Complaint Center (IC3).

Anyone receiving such a request is thus advised to treat this solicitation with extreme caution. If there is reason to believe that the email is valid, consult the matter with your lawyer. Do not click on links in unsolicited email. Period.

Additional input from Paul Ferguson, Advanced Threats Research