Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Symantec Seeks Help Cracking Mystery of Password Used In Attacks

What Does 8861 Mean? Security Researchers Search for Significance

Researchers are asking for help figuring out the significance of a password frequently used in targeted attacks in an attempt at crowd-sourcing the answer.

What Does 8861 Mean? Security Researchers Search for Significance

Researchers are asking for help figuring out the significance of a password frequently used in targeted attacks in an attempt at crowd-sourcing the answer.

Symantec has “continuously observed” recent targeted attacks using the same four-digit password to protect malicious Excel spreadsheets, Joji Hamada, a threat analyst with Symantec Security Response, wrote on the Symantec Connect blog July 31. The password wasn’t difficult for researchers to guess, as it was provided within the body of the email that came with the Excel file.

“Coincidentally, all of the samples that we have analyzed so far use the 4-digit password ‘8861,’” Hamada wrote.

Hamada wondered what the significance of the password was, and asked commenters post their guesses on Twitter. The name of the file, the contents of the spreadsheet, and the actual malicious payload all varied across samples, Hamada said. The attacks themselves are also not different from typical targeted attacks, he said.

Using the same password may just be a matter of convenience for the gang (or person) behind the attacks, Roel Schouwenberg, senior antivirus researcher at Kaspersky Lab, told SecurityWeek. The attacks may be using a template, which would explain the same password being used.

“My guess is that someone found a password they liked and stuck with it,” Schouwenberg said.

But inquiring minds want to know: what does 8861 mean? A quick Google Search tells us there are 8,861 miles between Denmark and Australia, and that Form 8861 from the Internal Revenue Service is the “Welfare to Work Credit” worksheet. A quick glance at the telephone keypad spells out TUM1 or TVO1. The former implies heartburn, and the latter can be a TV station in Venezuela, Chile, Japan or Germany. TVO can also be a Finnish nuclear power company, or a public educational media organization in Ontario, Canada.

According to Hamada, this certainly isn’t first time that passwords have been used for targeted attacks, but it does seem to be the first instance he has seen the same password used extensively. “I cannot recall any attacks that have continuously used the same password over and over to target a variety of organizations around the globe,” he said.

“I wouldn’t be surprised if it’s the person’s PIN,” Schouwenberg joked.

What’s your guess? Chime in below on what you think 8861 could mean.

Written By

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.