Don't take the bait: Network users easy prey for phishing

  • Published
  • By Lt. Col. Brian Heberlie
  • 19th Communications Squadron commander
LITTLE ROCK AIR FORCE BASE, Ark. --  One of my fellow Air Mobility Command communications squadron commanders is thinking about a new line of work.

After a year of training and educating his base network users about common threats, he still found it easy to dupe base employees (which included military, civilian and contractors) into clicking on an unauthorized link embedded in an official looking e-mail. How did he do it?

He started by sending a spoofed e-mail to 435 users on base. A spoofed e-mail is one sent from a legitimate looking e-mail address but actually comes from a (usually fraudulent) third party. In this case, he sent the spoofed e-mail so it appeared to come from an e-mail address from an on-base organization.

His first-line of defense, network security tools, actually disabled the link when he sent it and converted the message to plain text so users could see the actual name of the link. The network had also tagged the e-mail with a warning stating, "this might be a phishing e-mail and is potentially unsafe." Further, this e-mail had no digital signature to verify it had come from the actual source.

So how would he get users to ignore the warning signs and click on the link anyway? What would it take to get past the second line of defense, the on-base users, and get them to re-enable the link and click on it? According to research on successful spear phishing, he needed to put in an "action phrase" so users felt compelled to click on his link regardless. The most effective "action phrases" play to two basic emotions to lure people in: greed and fear.

Since the SuperBowl was just around the corner, he decided to tell users they could win one of six free, 63-inch plasma high definition TVs from the on-base force support squadron by entering into a contest and clicking the link to register. But would that be good enough? Unfortunately, it turned out to be very good as 34 of the 435 "phish" took the bait and clicked on the link. At that point, he could have infected those 34 machines with spyware, malware or a Trojan horse to plunder personal information from the computer or the user's internet transactions.

Since these were on-base machines, he could have also stolen information from other military systems these network users access to do their job. But in this case, he thought it would be more lucrative to steal their identities. As such, he asked the users to input their social security numbers and birthdates to register for their prize. Giving up personal identifiable information to any on-base organization through a request from an e-mail link should have given pause to the 34 "phish." But there was a 63-inch plasma TV at stake -- they would not be deterred. Imagine their surprise when they finally got to the end of the contest giveaway, after freely providing their identity, to find they were victims of a base-wide phishing test.

So Team Little Rock, after a year of education and training are we too smart for that? When Rock Comm did a phishing expedition last year with an e-mail from the "Commercial Revenue Service", we caught over 450 "phish." The highly-publicized hacks earlier this month at Google, Adobe and 20 other U.S. companies all originated from spear-phishing messages with poisoned attachments that appeared to come from internal sources. Authorized users on company networks opened these e-mails, ignoring sound security practices. There was a similar threat in Department of Defense earlier this month with the subject line of an e-mail titled "Federal Tax Law Changes for 2010 - 2017."

The lesson: think twice before you click on any e-mail link or attachment no matter who sent it. Look for the digital signature and make every effort to contact someone from the sending organization if the email looks or sounds suspicious. Finally, you can go to http://iase.disa.mil/eta/phishing/Phishing/launchPage.htm to test and improve your ability to evade capture from these sophisticated phishers.

Besides, my fellow AMC communications squadron commander really doesn't need your money.