Email – Deceptive By Design

On July 20, 2012, President Obama wrote in the Wall Street Journal:

Nuclear power plants must have fences and defenses to thwart a terrorist attack. Water treatment plants must test their water regularly for contaminants. Airplanes must have secure cockpit doors. We all understand the need for these kinds of physical security measures. It would be the height of irresponsibility to leave a digital backdoor wide open to our cyber adversaries.

The most widely used backdoor into data systems is the Advanced Persistent Threat (APT).  The most commonly used attack vector in APT is spearphishing – a deceptive email created by a thinking adversary with the intent of inducing the recipient to take an action that compromises systems. The most common actions desired by the adversary are for the recipient to open the targeted email and then open a malicious attachment, which then installs malware that compromises the data processing system.

What we observe in this cyber-attack is people attacking people. The attackers are using the tools of cyberspace, in this case email, to deceive people into compromising data processing systems. Dr. Frederick Chang, former NSA Director of Research, warns that:

… cybersecurity is fundamentally about an adversarial engagement. Humans must defend machines that are attacked by other humans using machines.

In Email – Deceptive By Design, Iconix explains how email favors the attacker in the adversarial engagement because email is a deceptive interface which is easily manipulated by the attacker.

Tricking People – Yes, It’s That Easy

The most widely used and effective means to infiltrate a data processing system is spearphishing. Trend Micro recently reported that over 90% of targeted attacks use spearphishing to infiltrate the systems.  The core of spearphishing is social engineering – the attacker using his own human experiences and dishonesty to trick other people.  In spearphishing, the victim is tricked using email.  In a non-cyber example of how easy it is to fool people, Frank Abagnale, Jr., the conman portrayed in “Catch Me If You Can“, related this story in a recent interview with the Minneapolis/St.  Paul Business Journal:

I was sitting at the airport and saw all these people putting money in a bank night box. … The next night I rented this bank guard’s uniform from a costume store, stood in front of the box and put a sign on it: ‘Out of Order.’ Everybody handed me the money! Not one person said, ‘Now how can this be out of order? It’s just a box.’ “

A startling example of how little attention people pay to the routine activities of their daily lives.  That inattention is the vulnerability exploited by spearphishers.  You can learn more about the way the human mind is easily fooled in email by reading, “Why Do People Get Phished?” by Dr. Arun Vishwanath of the State University of New York, Buffalo.

Millions of Social Security Numbers Lost in Spearphishing Attack

Search Security reports that the South Carolina Department of Revenue’s systems were compromised by a spearphishing attack which exposed millions of Social Security numbers, bank account information and thousands of credit and debit card numbers.

Details of the attack are spelled out in a detailed incident report posted on the State of South Carolina’s website.  The attacker used a spearphishing email with a malicious link.  When the employee clicked on the link a series of unfortunate events unfolded.  First, the employee’s log-in credentials were stolen. From there, the attacker leveraged the stolen credentials in a series of clever moves that ultimately compromised a large numbers of servers over the course of two months.

South Carolina Governor Nikki Haley blamed the IRS for the compromise of 74.7 GB of data regarding over 3.8 million people, citing IRS policies that do not require the encryption of social security numbers.

We cannot comment on IRS policies.  We do think it is important to acknowledge that this attack was successful because a clever person used email to deceive another person.  This deception worked because it is easy to create compelling deceptive emails.  You can see how this is done at our posting Spearphishing – The Movie.   Spearphishers deceive by masquerading as trusted senders. SP Guard from Iconix provides the ability to distinguish real email from spearphishing attacks. You can contact us at 408-727-6342, ext 3 or use our online form.