The weapon of choice for most cyber hackers is a malicious email disguised as a friendly email.
Known as “spear phishing” emails, these targeted emails are designed to appear as legitimate emails that persuade the recipient to divulge personal information, such as a password, or to click on a file or a website, which then uploads nefarious bits of code onto the recipient’s computer.
By far, phishing attacks constitute the vast majority of attacks on federal and private sector networks, according to federal data.
The State Department alone received 27,000 malicious spear phishing emails last year, up 42 percent from the 19,000 detected in 2011. In October, the White House confirmed a spear phishing attack against one of its unclassified networks, and several federal contractors, including the security firm RSA, have fallen victim to these targeted attacks.
Experts predict these kinds of attacks will increase in frequency as employees access more agency data on smartphones and tablet computers, including their personal devices.
“This steady increase in malicious software is significant because spear phishing emails containing malware … may compromise the integrity of US government networks and possibly enable the exfiltration of sensitive data,” according to a November report by the State Department.
Attackers don’t have to search far for data on their potential victims. They’re using social media websites like Facebook and LinkedIn where people freely post personal and work-related information.
Social media users don’t consider how much data they divulge by posting photos taken with their smartphones, handheld tablets or GPS-enabled cameras, said Brian Hein with HP.
Embedded in those photos are data on where photos were taken, and attackers can easily extract that information using common photo editing programs. Attackers then can use this information in emails to gain credibility with their targeted victims because they know the events, conferences and locations those people have visited.
Attackers aren’t just using social media, says Cameron Matthews, chief technology officer at the cybersecurity firm Sentek Global. They’re relying on search engines like Google and Bing to collect data about potential targets.
Attackers go beyond the basic searches and are adept at data mining and correlating data that search engines don’t provide. Defending against these types of attacks becomes more challenging as the size of an organization increases.
Matthews said some of the spear phishing emails he sees are well-written and relevant. Even as a seasoned professional, it can be difficult to know whether an email is real or not, he said. That’s why people have to verify things first, such as the legitimacy of a company or the request before opening a link or responding to an email.
Eric Basu, president and CEO of Sentek Global, said he receives spear phishing emails about once a month, in addition to suspicious emails detected and quarantined by the company’s security tools. In one case, Basu received an email that appeared to be from a government employee sending contract documents.
“It just didn’t feel right,” said Basu, who decided not to open the email. If it was a legitimate email, the person would reach out again, he said.
Sentek Global, whose clients include the Navy, deactivates links and malicious code in spear phishing emails and shares the emails with employees to increase awareness. It also categorizes attacks to develop profiles on attackers and provides quarterly information security training. Employees also receive security briefings before they go overseas.
“It’s not easy because you’re changing a mindset,” said Rohyt Belani, CEO and co-founder of PhishMe, which provides spear phishing awareness training for companies and agencies such as the Energy Department.
“There are definitely ways to spot these attacks, it’s just a matter of having a trained eye,” Belani said. “Employees and human beings are not stupid. If we can fly planes, we can learn not to click on links and emails.”
Early on, the PhishMe program focuses on email as an attack vector and the reality that senior employees aren’t the only targets. The program teaches employees how to analyze the authenticity of hyperlinks in emails by hovering over the link with the cursor to see the actual website address. Whatever domain name is directly before the dot-gov or dot-com portion of a URL is where people will be directed, Belani said. Ideally employees shouldn’t click on emailed links at all. Instead, they can type the website address in their Internet browser to ensure they are using a trusted site. Employees are also taught that email addresses can be easily faked or spooked, meaning an attacker can use an email address that appears to be from someone else.
Gary Winkler, president and founder of Cyber Solutions and Services Inc., said he received a spear phishing email this month that appeared to be from the Treasury Department concerning outstanding debts that could affect the company’s future contract or grant activity. It directed Winkler to review an attached document and even included the correct number for the Treasury Department if he had any questions.
Winkler said his company isn’t currently doing business with Treasury and has no outstanding debts, which were both red flags that the email was a fake.
Belani said employees are also told to consider — before posting information on social media sites — that their data can be viewed and misused by others.
To teach employees about spear phishing attacks, companies and agencies use phony spear phishing emails and short training videos and games. Such techniques are often more effective than an hour of security training, Belani said.
In fiscal 2011, 60 percent of agencies reinforced security awareness training with agency-sponsored spear phishing attack exercises, according to data released by the Office of Management and Budget.
Employees can learn to catch malicious emails that slip past an agency’s cyber defenses, Belani said. Agencies should assume that malware will circumvent traditional antivirus software and consider how they would mitigate a successful attack.
Belani said a common issue is that security awareness training includes an overwhelming list of things for employees to consider, such as having a complex password, securing their mobile devices, and not falling for phishing scams. The challenge of relying on employees to take security steps can be mitigated by using technology that, for example, forces employees to create complex passwords with symbols and numbers, he said. The challenge for federal security managers is enforcing standards that enhance cybersecurity but don’t hinder the agency’s mission, Winkler said.