It’s Back — Internet At Oak Ridge National Laboratory

A few minutes ago Barbara Penland, Oak Ridge National Laboratory spokeswoman, issued an email saying, “We are delighted to announce that Internet connectivity has been restored at ORNL.”

Why is this news?  Because on April 15, 2011, ORNL was taken off-line in response to a spear-phishing attack that compromised its systems.

As ORNL has learned, traditional security methods can’t detect and stop low volume, highly targeted spear-phishing email and training isn’t effective. What can be done to defend the enterprise against spear-phishing?  The enterprise can adopt a tool that identifies trusted email so that the target of the spear-phishing attack can distinguish real email from fake email.  That tool is SP Guard from Iconix.

Phishing emerges as major corporate security threat

On April 20, 2011, Computer World’s Jaikumar Vijayan reported on the increasing threat of spear-phishing to the enterprise.  

The report relates the compromise of Oak Ridge National Laboratory.  Oak Ridge National Laboratory was forced to shut down its email systems and all Internet access for employees on April 15, 2001, following a sophisticated spear-phishing cyberattack. 

The Oak Ridge National Laboratory is just one of a series of recent compromises that started with spear-phishing email.  Vijayan reports that the spear-phishing attacks are becoming more sophisticated.  For example, the bad guys are using social networking sites to collect personal information to customize the emails for the intended victim.  

Increasingly, organized cybergroups have started using convincingly crafted emails to target high level executives and employees within the organizations they want to attack. In many cases, the phishing emails are personalized, localized and designed to appear like they originated from a source trusted. 

Vijayan cites Anup Ghosh, founder of security firm Invincea. Ghosh observed that almost all of the recently publicized cyber-attacks have been perpetrated using phishing emails.  Ghosh said, “All you need to do is to get an email to a target. You only need a very low click through rate to establish several points of presence inside an organization. If you have 1,000 employees in your organization and you train them all on not opening untrusted attachments, you’ll still have someone doing it. This is not a problem you can train yourself out of.”

If traditional security methods can’t detect and stop low volume, highly targeted spear-phishing email and training isn’t effective, what can be done to defend the enterprise against spear-phishing?  The enterprise can adopt a tool that identifies trusted email so that the target of the spear-phishing attack can distinguish real email from fake email.  That tool is SP Guard from Iconix.

SP-Guard provides the recipient with three confirmations that a message is real:

1. List View. There is an integrity indicator in the list view of the email client.
2. Message. The open message has a further indicator of authenticity.
3. Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP-Guard is available now from Iconix. For further information, contact our sales team. At 408-727-6342, ext 3 or use our online form.

Epsilon Data Loss — Update

threatpost, the Kaspersky Lab Security News Service, has provided an updated list of the companies that have been affected by the Epsilon data breach:

1-800-FLOWERS
AbeBooks
Air Miles (Canada)
Ameriprise Financial
Ann Taylor credit card (provided by WFNNB)
Barclay’s Bank of Delaware (this breach affects customers
    of several private-label Visa credit cards, including BJ’s
    and L.L. Bean)
Beachbody
Bebe Stores
Best Buy
Benefit Cosmetics
Brookstone
Capital One
Chase
Citigroup
City Market
College Board
Crucial
Dell
Dillons
Disney Destinations
Eddie Bauer
Eileen Fisher
Ethan Allen
Eurosport (Soccer.com)
Food 4 Less
Fred Meyer
Fry’s Electronics
Hilton Honors program
Home Depot Credit Card (issued by Citibank)
Home Shopping Network
J. Crew credit card (provided by WFNNB)
JPMorgan Chase
Kroger
Marks and Spencer
Marriott
McKinsey Quarterly
MoneyGram
New York & Co.
QFC
Ralph’s
Red Roof Inns
Ritz-Carlton
Robert Half International
Scottrade
Smith Brands
Target
Tastefully Simple
TD Ameritrade
The Limited credit card (provided by WFNNB)
TIAA-CREF
TiVo
US Bank
Verizon
Walgreen’s

In an ABC News interview, Marcus Carey, community manager at penetration-testing firm Rapid7 said, “The next time you get an e-mail from your favorite store with an amazing offer, you may want to think twice.”   
        
This is exactly the opposite of what should happen.  eMail ID for consumers and SP Guard for enterprises help recipients identify real emails so that when they get that enticing email, they welcome it rather than fear it.

Spear-Phishing. Coming Now To Consumers!

Epsilon’s recent loss of email data to hackers has brought new attention to the problem of spear-phishing.  

What is spear-phishing?  In order to answer that question, you need to know what phishing is.  Phishing is email that is designed to appeal to the recipients’ desires, fears and curiosity to get the recipients to act to the recipients’ detriment.  Typically, that action is to click a link that goes to a fake website that asks for information in order to commit identity theft.  Sometimes these emails are very ineffective to the point of being funny.  We are all familiar with the Nigerian millionaire emails that are randomly sent to millions of people in hopes that a few people will act.  More effective are phishing schemes that are sent to millions of people, but which have a real resonance with a few recipients.  Few people have a dead uncle in Nigeria – lots of people have Coke Rewards memberships.  That is why bad guys sent out fake Coke rewards emails that linked to a fake website designed for identity theft.  That sub-set of recipients who had Coke rewards memberships might be enticed by the email.  The standard phishing scam has three characteristics: 

1. The email is sent randomly to a lot of people.
2. Personalization is a matter of chance.  If a large number of people get the same email pretending to be from a popular sender, some of the recipients will have a relevant relationship.  Think of the Coke Rewards program. In a large group of people, some will be Coke Rewards members.
3. The purpose is to get the recipient to go to a fake website and provide data that can be used for identity theft.  Recently, criminals have resorted to using crimeware that takes remote control of the victim’s computer, thereby facilitating identity theft.

So, what is spear-phishing?  Spear-phishing is an enhanced phishing attack that uses personalized information about the recipient to heighten the perceived value of the call to action.  In the classic spear-phishing experiment, conducted at the U.S. Military Academy in 2004, the experimenters sent cadets an email from a fictitious military officer raising questions about a recent grade report.  This email elicited responses from over 90% of the freshman class.  The email was effective because it was so well-crafted to the interests of the recipient.  The recipient was a cadet.  The email was from a military officer.  The email was about an important recent event in the cadet’s life.  This level of customization usually requires a lot of work to assemble the personalizing facts.  Because it is hard to personalize on a large scale, spear-phishing is usually directed at a small number of people.  Examples include the attack on the French Finance Ministry, the government of Canada and the government of the United States.  In these government attacks, the purpose was espionage, not identity theft.  Epsilon’s data breach changed that – now criminals have personal information about millions of people.  SecurityWeek reports,

 . . . having access to customer lists opens the opportunity for targeted phishing attacks to customers who expect communications from these brands. Being able to send a targeted phishing message to a bank customer and personally address them by name will certainly result in a much higher “hit rate” than a typical “blind” spamming campaign would yield. So having access to this information will just help phishing attacks achieve a higher success rate.

A Marriott Rewards & Ritz Carlton Rewards spokesperson told SecurityWeek that their customer names, email addresses, and member point balances were exposed.

Think about the Marriott Rewards and Ritz Carlton Rewards data.  The bad guy knows your email, your name, that you are a member of the rewards program and your point balance.  If you receive an email that uses all of this information, that email contains a lot of data indicating that it is real.  Would you click a link and log-on to complete a form that offered you 10,000 bonus points or a free night coupon to complete a survey?  Would criminals be this clever?  Yes.  This is the Coke Rewards scam, enhanced with your name and your points balance.

What can consumers do?  You should be alert to potential scams.  And of course you should use the latest versions of a reputable security product and install all the security patches for your operating system and applications.  But you need to do more.  You need a product that will identify legitimate emails from many of the leading consumer brands. Distinguishing real email from fake email is hard.  Unless you have the right tool.  Can you find the real email from the Best Buy?

Know Who.  No Doubt.  Use eMail ID.  It’s available from PayPal and Trend Micro.  It’s free! 

What can businesses and government do?  The requirements for businesses and government are different from the needs of consumers.  Businesses and government agencies customize their email systems to meet their particular needs.  Moreover, the consumer brands that are marked for free by eMail ID are irrelevant to businesses and government agencies.  Businesses and government agencies want employees opening emails from HR, not Home Depot.  To address the special needs of business and government, Iconix has developed a for-fee solution called SP Guard™.  SP Guard is available now from Iconix.

Iconix Announces SP Guard, Spear-Phishing Defense for the Enterprise

ICONIX, Inc., the industry leader in visual email solutions, announced today that it has released the initial version of a product that defends against spear-phishing. The product, called SP Guard^™, allows email recipients to differentiate real email from spear-phishing emails though the display of an authenticity indicator in the inbox and in the open message.

Spear-phishing is a highly targeted email scam in which the email is carefully crafted to entice the specific recipient. This differs from typical spam-like phishing scams that are based on fooling a small percentage of a large number of recipients. These are many examples of recent spear-phishing incidents:

• Operation Aurora, which compromised many commercial entities, including Google, Intel, GE, Sony, Disney, and Adobe.
• French Ministry Of Economics, Finance and Industry
• Canadian Government
• U.S. National Science Foundation’s Office of Cyberinfrastructure

In each case, the data compromise occurred because the recipient of the spear-phishing message could not distinguish real from fake, which is especially difficult if the message looks like it’s from a trusted entity and contains content that is specific to the recipient. Telling users to be alert and careful is good general advice, but how can they really know what’s real and what’s not?

Iconix SP-Guard modifies the email client’s display to provide a visual indicator of the identity of the sender of email. This is an example from Outlook, the popular business email client, in which a company called “MyCo” is marking their internal messages as well as those from trusted partners such as their law firm. Note especially the last message, though seemingly benign, is a spear-phishing message and is not marked as authentic:

SP-Guard provides the recipient with three confirmations that a message is real:

1. List View. There is an integrity indicator in the list view of the email client.
2. Message. The open message has a further indicator of authenticity.
3. Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

You protect your systems from technical exploits using a variety of tools. Now you can protect your systems from the exploits that prey on the users themselves. It only takes one user to be fooled by a spear-phishing attach to cause a major compromise of data. French investigators of the Ministry of Finance data breach observed: “Staff exchange many messages. It’s like metastases, the risk of spread is important. ”

SP-Guard is available now from Iconix. For further information, contact our sales team. At 408-727-6342, ext 3 or use our online form.

Epsilon Compromised by Spear-Phishing. Bad Guys Get Email Addresses.

On April Fools’ Day, early reports circulated that Epsilon, the large email service company, had lost email addresses of many of its prominent customers.  This turns out NOT to be an April Fools’ joke – the names and email addresses used by Epsilon’s customers had, in fact, been compromised.  Reuters reports that email lists used by CitiBank, Walgreens and Best Buy had all been compromised.  In fact, as reported by SecurityWeek, dozens of brands were impacted, including JPMorgan Chase, US Bank, Target, Home Shopping Network, The College Board, and Marriott Rewards.

How could this happen?  Epsilon was the victim of a spear-phishing attack.  A spear-phishing attack occurs when bad guys send a carefully crafted email to a small number of people in order to entice the recipient to take a desired action.  In this case, the bad guys sent emails to a small number of Epsilon employees over the course of two days.  The subject of the emails was “2011 Recruitment Plan.”  When the employee opened the attached spreadsheet, malware in the attachment gave access to the employees’ PCs.  As a result of this breach, the email lists were stolen. 

What’s the likely impact of this breach?  Most of the impacted companies have sent notices to their customers explaining the issue and warning them to be extra vigilant regarding email messages.  The crooks can use the email addresses and associated company relationship to specifically target these customers with strongly crafted calls to action.  Learn more by listening to this American Public Media story:

Launch Marketplace Audio Player

So what can you as a consumer do?  Yes, you should be alert to potential scams.  And of course you should use the latest versions of a reputable security product and install all the security patches for your operating system and applications.  But you need to do more.  You need a product that will identify legitimate emails from many of the leading consumer brands. Distinguishing real email from fake email is hard.  Unless you have the right tool.  Can you find the real email from the Best Buy?

Know Who.  No Doubt.  Use eMail ID.