Spear phishing attacks target special interests
By Staff Sgt. Vincent Mabary, 36th Communications Squadron
/ Published March 30, 2010
ANDERSEN AIR FORCE BASE, Guam -- Imagine receiving this e-mail:
"Pre-order tickets for Breaking Benjamin & Metallica USO show!" the message goes on to say: "The USO in company with Breaking Benjamin and Metallica will put on a private concert at the Top of the Rock for military members. Space will be limited, so sign up for your tickets now! Limit one per military member for $5. www.USO.org/BrBenj_Metallica_TotR.html. Tickets will be emailed out to the first 100 individuals who sign up."
Who wouldn't want to see a private concert with Breaking Benjamin and Metallica? There aren't many people who would say no. So you go to the webpage, and it asks you to fill out a form for your ticket. You provide your name, rank, unit, office symbol, phone number, email address, and credit card information to buy the ticket. When you hit the confirm button nothing happens, and so you start trying to find out who to call since the webpage must be broken. You find out that there is no such concert scheduled, and when you check your bank account that evening it is empty. Your office and unit also start receiving unsolicited phone calls from unknown persons asking for confidential data using your name and information as credentials. Congratulations! You are now a victim of a spear phishing attack.
What is a spear phishing attack?
"Spear phishing" is a type of social engineering attack that is targeted at a specific group of individual or organizations. A common spear phishing attack would be a mass email to the base requesting confirmation of user names and passwords. The email would normally include a hyperlink to a website where you will be asked for personal information: Unit/Office symbol, phone number, full name and rank, username, email address, password, and the name of your supervisor or commander.
A current spear phishing attack facing military members targets USAA members (https://www.usaa.com/inet/ent_utils/McStaticPages?key=2009_03_phishing_scam). The perpetrators of these attacks may be hacker groups, like Ghostnet, terrorist and criminal organizations, or in some cases even state sponsored groups seeking sensitive information.
The purpose of these attacks is to gather information which can be used to access our networks and sensitive information. Rarely do these attacks end in destruction to the network itself as that would deprive the attacker of further information. The information garnered may be used for counter-intelligence, to build counterfeit credentials which will be more accurate and less likely to be caught, or to sell on the black market to hostile organizations.
Alternatively the attacker may not request any information from you, but may instead include a file or hyperlink. The attachment will contain software, which once installed on your system, will monitor all activity on the system and then report it back to the attacker. This may be based upon a specific program or piece of software used by the targeted group such as an update for IMDS, or new benefits for members who have deployed or are married.
Not all spear phishing is done via email. It may come in the form of a flyer that you see either on base or in the general vicinity that offers special rewards or benefits to military members. By seeking the source of the flyer, either by calling a phone number listed on it, or by visiting a website listed on it. Other methods include calling an office using details overheard in a conversation or stolen via a previous attack. The caller will claim to need information that is FOUO, Privacy Act, or even classified. The tactic involves the caller claiming to be someone whose credentials will pressure you to provide the information by gaining sympathy, appealing to your desire for camaraderie, or by fear of reprisal.
A newer threat that has risen recently is a spear phishing attack referred to as "whaling." Whaling is a spear phishing attack which targets the top layer of management and command in an organization. The purpose of the attack is to gain access to high level information and resources. An example of this was the attack on SAIC (a government contractor) in 2007, where 580,000 military members private and financial information was stolen.
All of these methods of attack are preventable, and though often difficult to distinguish from a legitimate communication, there are ways to avoid falling prey.
1. Always digitally sign emails
2. Never follow a hyperlink in an email which is not digitally signed
3. When a caller requests information that is Privacy Act Protected...DON"T GIVE IT!
4. Never divulge FOUO, Privacy Act, or classified information over the phone
5. Confirm credentials: If they are who they say they are, then you should be able to confirm it through their unit
6. When confirming an identity or authorization, do not utilize information provided by them as it may be false as well
7. No network technician or unit will ever ask for your username and password via email or over the phone, nor will they provide them to you via email or over the phone-if you get an email that looks legit, but asks for that info report it immediately to the COMM Focal Point and your unit IAO or CSA
8. Facebook, MySpace, YouTube, and Twitter are not the places for storing or discussing operation information
For more information contact your Information Assurance Officer/Manager, Client Support Administrator, Comm Focal Point (366-COMM/2666) or Wing Information Assurance Office (366-1077)