Monthly Archives: July 2015

Spearphishing? Deciding Isn’t Easy

Part of the fallout from the Office of Personnel Management (OPM) data breach is the need to provide identify protection services to the millions of compromised government employees. In its efforts to provide these services to compromised federal workers, the OPM contracted with a private company.  That contractor, CSID, sent an email with a link to enroll in identity protection services.

ArmyTimes reports that acting upon warnings from the Army Threat Integration Center, Fort Meade’s Cyber Security Network Defense Team identified a message from CSID as a spearphishing attempt. The Fort Meade Cyber Security Network Defense Team warned Army personnel to “close the message immediately and report it as spam to the Cyber Security Network Defense Team,” according to a warning posted on the Fort Meade Facebook page.

fort meade

The message has lots of spearphishing red flags to trigger a warning.  For example:

  1. The from is a spoof — claiming to be from the OPM CIO, yet the email domain is not the “opm.gov” it is “csid.com”.
  2. The salutation is poorly personalized, “Dear Recipient”.
  3. This is a well-crafted message with a strong call to action designed for the recipient.
  4. There is a deadline that warns of undesired consequences.
  5. There are questionable links to csid.com, not opm.gov.
  6. Active links contravene OPM’s cybersecurity webpage that warns against clicking links.
  7. The email has an “enroll now” button which is a phishing red flag.

Despite these red flags, this is a real email that is the gateway to cyber protection!

These must be a better way!  There is — SP Guard from Iconix.

Fake State Department Email Attacks Reporter

Yesterday, Aaron Boyd, a reporter at the Federal Times, wrote that someone tried to plant malware on his system through the use of a fake State Department email. Mr. Boyd reports:

Among the many emails waiting in my inbox this morning was one that seemed to come through a State Department .gov domain address. It purported to be a fax from a State Department machine, containing a PDF file…Getting an unsolicited email or document isn’t that unusual in the day-to-day of a reporter. However, the link to download the document went to a .org site (not the actual State Department site) and the file itself was a ZIP, not PDF. Seeing the red flags of a potential spear-phishing attempt, I contacted our IT department and we opened the file in the safety of a sandboxed environment.

Fake-Fax

Fake Email Fax

What is unusual about this incident wasn’t the attack — it was the response of the intended victim. Mr. Boyd’s very careful approach to email is laudable — but it is also unusual.  Also yesterday, Ilia Kolochenko, writing in CSO, wrote about email attacks:

Unfortunately, human psychology cannot be altered by security training and awareness alone, so people will always have their basic instincts dominating over acquired skills. We were recently assisting a medium-size insurance company that decided to outsource cybersecurity management to a third-party provider, cutting the majority of internal security jobs. Security people received a very well prepared

[fake] email from the management about their future placement and dismissal compensations. Everyone, including senior security experts who have been in the industry for dozen of years, clicked on the included link.

How can more people overcome their basic instincts and be like Mr. Boyd?  IT could help them by highlighting trusted email using SP Guard. Users will decide which emails to trust. That decision can be guesswork or it can be guided by IT.