Phishing: Avoid the hook

  • Published
  • By Brian Kupperion
  • 4th Communications Squadron

“Beware of Phishing”   You’ve probably heard this many times and for good reason.  Phishing is the bad guys’ favorite way of stealing sensitive data, such as passwords, personally identifiable information (PII), military operations data, credit card and financial details.  They also like to use this attack vector to infect your computer with a virus or implant other malicious software.

Here are the Three Steps of Phishing:

  1. The Lure - an enticement with a link or attachment (i.e., click to get reward or prevent  consequence)
  2. The Hook – activating a malicious attachment or website that collects info or plants malware
  3. The Catch - information collected or malware planted to gain access or damage data and or deny service

As much as 80 percent of all computer attacks are initiated through phishing.  It’s a lot easier for the criminal to fool someone into opening the door to sensitive data than it is for them to break or hack the door down.  Professional criminals phish; amateurs hack.  We’ve had an Air Force network defense team conduct a phishing exercise here on Seymour Johnson Air Force Base recently, while we had fewer people “hooked” than industry average, even one is too many and can cause serious harm.

Why this is important to us?

No one is entirely safe from phishing, and with the right social engineering, anybody may be scammed into giving out sensitive information. At risk are PII, user IDs and passwords, bank account data, as well as operational information.  Identity theft can lead to bad credit or debt which in turn can jeopardize security clearance and open you up to blackmail in order to provide sensitive government information.  Malicious logic injected into computer systems can be used to collect data and report back to the attacker.  Key loggers collect credentials used to access other networked computers and further compromise other systems such as defense travel system, MyPay or networks.   Malicious logic can be used to bring our local network down (denial of service) or use us as a bridgehead to conduct a denial of service attack across the Air Force network or other DOD networks.

Examples:

  • Suspected Russian hackers compromised the White House unclassified network in April 2015. It is reported the entry was aided by a phishing e-mail sent from a previously compromised State Department network, the attackers obtained the presidents daily schedule.
  • A malware package, likely delivered via a phishing attack from China against the Office of Personnel Management, established a back-door for further attacks.  Subsequent attacks enabled the criminals to get elevated network privileges and led to a massive compromise of security clearance data.
  • The Joint Chiefs of Staff unclassified network was brought down for 2 weeks after a suspected Russian attack.  The infiltration was done via a phishing campaign with an infected e-mail attachment.

What you can do?

  • Be cognizant and vigilant of this threat
  • Be sure the source of the email is legitimate before clicking any links or opening an attachment
  • Look for a digital signature
  • As a sender, digitally sign your email so the recipient can trust it
  • Only open attachments if you're expecting them and you know where they came from
  • Protect your computer with anti-virus, anti-spyware, and a firewall
  •  Know that phishing can also happen by phone,  be careful what info you give during phone calls