Cyveillance reports on a new spearphishing scam that masquerades as the National Security Agency.   The malicious email claims to be from the NSA and exploits the recent compromise of the RSA two factor authentication token to deceive the recipient.   This is an image of the scam email:

SNA Scam Email

Cyveillance elaborates on the power of this scam:

The sender name is spoofed to appear to come from “protection@nsa.security.gov” and the links go to national-security-agency.com, a domain that was just registered yesterday. This attack is a perfect example of how deeply spear-phishers understand the psychology of social engineering users.  It invokes the authority of a respected and mysterious government agency, it uses fear of being hacked or getting “in trouble” at work to prompt action, and it takes advantage of current events in the form of the widely reported (i.e. verifiable fact) and recent RSA token hack.  This is a potent cocktail of logic, emotion and authority to manipulate the user into a desired action, and is typical of today’s advanced Phishers.

Cyveillance provides this advice to users:

Here are some of the tips that can help you spot scams like this one:

  1. Supposed needs for patches, security updates and vulnerability fixes are a favorite technique of scammers and phishers. Even if the message appears to come from someone in your own company, treat all such requests as suspicious and verify with your IT team by voice or fresh email to the actual IT person who supports you.
  2. Treat ANY email that tells you to download something as malicious until proven otherwise.  Again, contact your IT team before installing anything on your system.
  3. Hover (but do NOT click)  your mouse over all links in the email.  The true destination of the link will pop up next to your mouse pointer. If you’ve never heard of the site, treat it as dangerous. Does the site in the link address match the site in the sender’s email address? If it does not, be suspicious.  Is the pop up destination different from the URL shown in the visible text of the email, what we call a bait-and-switch link? If so, this is a major warning.
  4. Finally, any link that ends in .zip or .exe should be treated as extremely hazardous and not clicked on.

This advice does not address scams that use malicious attachments, a common spearphishing scam.  A malicious attachment was the method used to compromise RSA.

Traditional security methods can’t detect and stop low volume, highly targeted spear-phishing email.  Social engineering deceives the users into becoming the agents of the criminals.  What can be done to defend the enterprise against spear-phishing?  The enterprise can adopt a tool that identifies trusted email so that the target of the spear-phishing attack can distinguish real email from fake email.  That tool is SP Guard from Iconix.

SP Guard Inbox

SP-Guard provides the recipient with three confirmations that a message is real:

  1. List View. There is an integrity indicator in the list view of the email client.
  2. Message. The open message has a further indicator of authenticity.
  3. Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP-Guard is available now from Iconix. For further information, contact us at 408-727-6342, ext 3 or use our online form.