NSA Used In Spearphishing Scam

July 27, 2011

Cyveillance reports on a new spearphishing scam that masquerades as the National Security Agency.   The malicious email claims to be from the NSA and exploits the recent compromise of the RSA two factor authentication token to deceive the recipient.   This is an image of the scam email:

SNA Scam Email

Cyveillance elaborates on the power of this scam:

The sender name is spoofed to appear to come from “protection@nsa.security.gov” and the links go to national-security-agency.com, a domain that was just registered yesterday. This attack is a perfect example of how deeply spear-phishers understand the psychology of social engineering users.  It invokes the authority of a respected and mysterious government agency, it uses fear of being hacked or getting “in trouble” at work to prompt action, and it takes advantage of current events in the form of the widely reported (i.e. verifiable fact) and recent RSA token hack.  This is a potent cocktail of logic, emotion and authority to manipulate the user into a desired action, and is typical of today’s advanced Phishers.

Cyveillance provides this advice to users:

Here are some of the tips that can help you spot scams like this one:

  1. Supposed needs for patches, security updates and vulnerability fixes are a favorite technique of scammers and phishers. Even if the message appears to come from someone in your own company, treat all such requests as suspicious and verify with your IT team by voice or fresh email to the actual IT person who supports you.
  2. Treat ANY email that tells you to download something as malicious until proven otherwise.  Again, contact your IT team before installing anything on your system.
  3. Hover (but do NOT click)  your mouse over all links in the email.  The true destination of the link will pop up next to your mouse pointer. If you’ve never heard of the site, treat it as dangerous. Does the site in the link address match the site in the sender’s email address? If it does not, be suspicious.  Is the pop up destination different from the URL shown in the visible text of the email, what we call a bait-and-switch link? If so, this is a major warning.
  4. Finally, any link that ends in .zip or .exe should be treated as extremely hazardous and not clicked on.

This advice does not address scams that use malicious attachments, a common spearphishing scam.  A malicious attachment was the method used to compromise RSA.

Traditional security methods can’t detect and stop low volume, highly targeted spear-phishing email.  Social engineering deceives the users into becoming the agents of the criminals.  What can be done to defend the enterprise against spear-phishing?  The enterprise can adopt a tool that identifies trusted email so that the target of the spear-phishing attack can distinguish real email from fake email.  That tool is SP Guard from Iconix.

SP Guard Inbox

SP-Guard provides the recipient with three confirmations that a message is real:

  1. List View. There is an integrity indicator in the list view of the email client.
  2. Message. The open message has a further indicator of authenticity.
  3. Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP-Guard is available now from Iconix. For further information, contact us at 408-727-6342, ext 3 or use our online form.


Iconix Goes Dutch

July 21, 2011

Maarten Oelering, an IT Consultant and Email Delivery Expert in Holland, noted in a tweet today that Marktplaats (NL) is now sending with DKIM and supporting the Iconix trust icon.  Marktplaats is a Dutch affiliate of eBay.

You can check out our Marktplaats experience at http://www.iconix.com/locale/nl/marktplaats/


How 24,000 Pentagon Files Were Stolen

July 21, 2011

On July 14,  2011, during a speech introducing the Pentagon’s new cybersecurity strategy, Deputy Defense Secretary William J. Lynn, III disclosed that 24,000 files had been lost to “foreign intruders.”  Lynn said the files contained some of the U.S.’s “most sensitive systems, including aircraft avionics, surveillance technologies.”

How could this happen?  FastCompany reports that this was accomplished using a spear-phishing email to deliver an email payload with a zero day exploit.  The malicious email was sent to a defense contractor, rather than the Department of Defense.  The key to a successful spear-phishing attack is creating a highly personalized email that will deceive the recipient into taking the call to action.   Employees of defense contractors were targeted because it is easier to mine the internet for useful personal data (needed to craft a highly targeted spear phishing email) about contractor employees than government employees. 

The spear-phishing email delivered a zero day exploit.  A zero day exploit is a new loophole in the security system that is unknown, and therefore available to compromise systems.  For example, an email purporting to be from HR or a colleague contains an attachment that appears highly relevant.  When the attachment is opened, malware is installed on the recipient’s computer by using the zero day exploit. 

Traditional security methods can’t detect and stop low volume, highly targeted spear-phishing email and training isn’t effective  – so what can be done to defend the enterprise against spear-phishing?  The enterprise can adopt a tool that identifies trusted email so that the target of the spear-phishing attack can distinguish real email from fake email.  That tool is SP Guard from Iconix.

SP Guard Inbox

SP-Guard provides the recipient with three confirmations that a message is real:

  1. List View. There is an integrity indicator in the list view of the email client.
  2. Message. The open message has a further indicator of authenticity.
  3. Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP-Guard is available now from Iconix. For further information, contact our sales team. At 408-727-6342, ext 3 or use our online form.


U.S. Dept. of Defense Cybersecurity Strategy

July 15, 2011

Yesterday the U.S. Department of Defense released its cybersecurity strategy.  The DoD summarized the importance of cybersecurity:

Along with the rest of the U.S. government, the Department of Defense (DoD) depends on cyberspace to function. It is difficult to overstate this reliance; DoD operates over 15,000 networks and seven million computing devices across hundreds of installations in dozens of countries around the globe. DoD uses cyberspace to enable its military, intelligence, and business operations, including the movement of personnel and material and the command and control of the full spectrum of military operations.

The report stresses the role of people as the first line of defense. 

People are the Department’s first line of defense in sustaining good cyber hygiene and reducing insider threats. To mitigate the insider threat and prevent dangerous disclosures of sensitive and classified information from occurring, DoD will strengthen and go beyond the current information assurance paradigm, including the exploration of new operating concepts to reduce vulnerabilities. DoD’s efforts will focus on communication, personnel training, and new technologies and processes.

Iconix recently released a whitepaper on the effectiveness of training against spear phishing attacks.  In that paper, we questioned the effectiveness of training to fight this problem.  Our concerns were confirmed by research from the Department of Homeland Security.  The Department of Homeland Security found that before training, spear phishing was effective 22% of the time.  After training, people were fooled 21% of the time.  Training resulted in a one percentage point change.  Training people to avoid suspicious emails is essentially impossible because, as Lt. Col.  Gregory Conti,  IT professor at West Point observed in the New York Times,

“What’s ‘wrong’ with these e-mails is very, very subtle,” he said, adding: “They’ll come in error-free, often using the appropriate jargon or acronyms for a given office or organization.”

This is where SP Guard from Iconix comes into play.

SP Guard modifies the email client’s display to provide a visual indicator of the identity of the sender of email. This is an example from Outlook, the popular business email client, in which a company called “MyCo” is marking their internal messages as well as those from trusted partners such as their law firm.  Note especially the last message, though seemingly benign, is a spear-phishing message and is not marked as authentic:

SP Guard Inbox

SP Guard provides the email recipient with three easy to recognize confirmations that a message is really an internal email or from a trusted counterpart:

  1. List View. There is an integrity indicator in the list view of the email client.
  2. Message. The open message has a further indicator of authenticity.
  3. Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP Guard is available now from Iconix.

To learn more, visit us at http://www.iconix.com/business/spearphishing.php.

 


Are Spear Phishing Victims Idiots?

July 13, 2011

In  a June 27, 2011 article entitled, “Human Errors Fuel Hacking as Test Shows Nothing Stops Idiocy“, Bloomberg reports that people whose systems are compromised in spear phishing scams are idiots. Spear phishing is a scam in which the miscreant sends personalized emails to deceive the recipient into comprising data.

The article cites the alarming statistic that in Department of Homeland Security experiments, 60% of people who found USB drives in the parking lot plugged the devices into their computers.  The article continues that human errors negate all the time and investment in firewalls and other technical defenses.  The article cites the advice of Mark Rasch, director of network security and privacy consulting for Falls Church, Virginia-based Computer Sciences Corp and former head of the Justice Department computer crime unit:

“Rule No. 1 is, don’t open suspicious links,” Rasch said. “Rule No. 2 is, see Rule No. 1. Rule No. 3 is, see Rules 1 and 2.”

When the criminals use suspicious emails with suspicious links, for example webpages that request credentials, human stupidity is the cause and suspicion is a good response.

But times are changing.  Criminals are getting smarter.   The recent study, “Email Attacks: This Time It’s Personal”  released by Cisco reports suspicious emails with suspicious links are being replaced by highly targeted emails that do not rely on obvious ploys to steal credentials.  Criminals are moving from high volumes of ineffective emails to small numbers of well-crafted highly personalized messages that are indistinguishable from legitimate email.  The problem is no longer stupidity, but the inability to tell good emails from bad emails.

Traditional security methods can’t detect and stop low volume, highly targeted spear-phishing email and training isn’t effective  – so what can be done to defend the enterprise against spear-phishing?  The enterprise can adopt a tool that identifies trusted email so that the target of the spear-phishing attack can distinguish real email from fake email.  That tool is SP Guard from Iconix.

SP Guard Inbox

SP-Guard provides the recipient with three confirmations that a message is real:

  1. List View. There is an integrity indicator in the list view of the email client.
  2. Message. The open message has a further indicator of authenticity.
  3. Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP-Guard is available now from Iconix. For further information, contact our sales team. At 408-727-6342, ext 3 or use our online form.


10 Biggest Data Breaches Of 2011 (So Far)

July 8, 2011

Yesterday, CRN published its list of the 10 Biggest Data Breaches of 2011

This is the summary:

To 10 Security Breaches

In the battle against spear phishing, one solution stands out — SP Guard from Iconix.


Jefferson Lab Identified as Cyber-victim

July 8, 2011

Yesterday, we wrote about the compromise of three U.S. National Laboratories

Venture Beat has now identified the third facility.  That facility is Jefferson Lab in Newport News, Virginia.

On July 6, 2011, General Michael Hayden, USAF Ret., spoke before The Potomac Institute for Policy Studies on cybersecurity.  General Hayden is a former director of the CIA and the NSA.  Discussing the cyber-attacks such as these, General Hayden said, “If we don’t act boldly, something really bad is going to happen.”  Michael Tiffany, Chief Architect at Recursion Ventures, also spoke. He observed, “Today the people who are succeeding at these types of attacks are the ones who are try the hardest. It’s actually not very difficult.”  

We see how easy it is to launch a spear-phishing attack.  Data to customize the email content is readily available on the internet.  Social networking sites make personal information very accessible.  Differentiating real email from fake email is almost impossible.  Lt. Col. Gregory Conti, a computer security expert at West Point observed:   

What’s ‘wrong‘ with these e-mails is very, very subtle. They’ll come in error-free, often using the appropriate jargon or acronyms for a given office or organization.

This is where SP Guard from Iconix comes into play.

SP Guard modifies the email client’s display to provide a visual indicator of the identity of the sender of email. This is an example from Outlook, the popular business email client, in which a company called “MyCo” is marking their internal messages as well as those from trusted partners such as their law firm.  Note especially the last message, though seemingly benign, is a spear-phishing message and is not marked as authentic:

SP Guard Inbox

SP Guard provides the email recipient with three easy to recognize confirmations that a message is really an internal email or from a trusted counterpart:

  1. List View. There is an integrity indicator in the list view of the email client.
  2. Message. The open message has a further indicator of authenticity.
  3. Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP Guard is available now from Iconix.

To learn more, visit us at http://www.iconix.com/business/spearphishing.php.