Security Experts:

Symantec Seeks Help Cracking Mystery of Password Used In Attacks

What Does 8861 Mean? Security Researchers Search for Significance

Researchers are asking for help figuring out the significance of a password frequently used in targeted attacks in an attempt at crowd-sourcing the answer.

Symantec has "continuously observed" recent targeted attacks using the same four-digit password to protect malicious Excel spreadsheets, Joji Hamada, a threat analyst with Symantec Security Response, wrote on the Symantec Connect blog July 31. The password wasn't difficult for researchers to guess, as it was provided within the body of the email that came with the Excel file.

"Coincidentally, all of the samples that we have analyzed so far use the 4-digit password '8861,'" Hamada wrote.

Hamada wondered what the significance of the password was, and asked commenters post their guesses on Twitter. The name of the file, the contents of the spreadsheet, and the actual malicious payload all varied across samples, Hamada said. The attacks themselves are also not different from typical targeted attacks, he said.

Using the same password may just be a matter of convenience for the gang (or person) behind the attacks, Roel Schouwenberg, senior antivirus researcher at Kaspersky Lab, told SecurityWeek. The attacks may be using a template, which would explain the same password being used.

"My guess is that someone found a password they liked and stuck with it," Schouwenberg said.

But inquiring minds want to know: what does 8861 mean? A quick Google Search tells us there are 8,861 miles between Denmark and Australia, and that Form 8861 from the Internal Revenue Service is the "Welfare to Work Credit" worksheet. A quick glance at the telephone keypad spells out TUM1 or TVO1. The former implies heartburn, and the latter can be a TV station in Venezuela, Chile, Japan or Germany. TVO can also be a Finnish nuclear power company, or a public educational media organization in Ontario, Canada.

According to Hamada, this certainly isn't first time that passwords have been used for targeted attacks, but it does seem to be the first instance he has seen the same password used extensively. "I cannot recall any attacks that have continuously used the same password over and over to target a variety of organizations around the globe," he said.

"I wouldn't be surprised if it's the person's PIN," Schouwenberg joked.

What's your guess? Chime in below on what you think 8861 could mean.

Subscribe to the SecurityWeek Email Briefing
view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.