This is the second half of a two-part blog. Please read Part One first.
DOJ Allegations of a Simple Phishing Expedition that Was Able to Hack Trade Secrets from both Alcoa and U.S. Steel
The recent DOJ indictment proves the point that employees are the weakest link in cybersecurity, that they are easy victims of simple spearphishing hacks. Here are the introductory allegations in paragraph 6.f.:
6.f. In or about 2008, Alcoa Incorporated (“Alcoa”), an aluminum manufacturer whose principal office is located in the Western District of Pennsylvania, announced a partnership with a Chinese state-owned aluminum company to acquire a stake in another foreign mining company. Approximately three weeks later, Defendant SUN targeted senior Alcoa managers with spearphishing messages designed to trick the recipients into providing SUN with access to the company’s computers.
The specific allegations on this hack attack begins at paragraph 41. Defendant Sun Kailiang, who uses the alias “Jack Sun,” shown right in his full military uniform, is alleged to have performed a directed phishing attack (“spearphishing”) against select employees of Alcoa and U.S. Steel:
41. Spearphishing activity targeted Alcoa including near in time to significant events in its business relationship with SOE-3. For example, on or about February 20, 2008, about three weeks after Alcoa announced the partnership with SOE-3, Defendant SUN targeted Alcoa with a spearphishing campaign. Specifically, Defendant SUN sent e-mails to approximately 19 senior Alcoa employees, at least some of whom were located in the Western District of Pennsylvania, using an account designed to impersonate a member of Alcoa’s Board of Directors. In all but one of the e-mails, Defendant SUN attached a file disguised as an agenda for Alcoa’s annual shareholders meeting, which, once opened, would install malware on the recipients’ computers.
42. Thereafter, in or about June 2008, unidentified individuals stole at least 2,907 e-mail messages along with approximately 863 attachments from Alcoa’s computers, including internal messages among Alcoa senior managers discussing the foregoing acquisition. . . .
44. In furtherance of the conspiracy and to achieve the objects thereof, the conspirators committed the following overt acts, among others, in the Western District of Pennsylvania and elsewhere:
a. On or about April 18, 2006, Defendant SUN created e-mail account email@example.com.
b. On or about July 17, 2006, Defendant SUN created domain account j*****r at a domain provider in the United States.
c. On or about December 12, 2006, Defendant WEN sent Defendant WANG two executable files containing tools that would be useful for intrusions.
d. On or about July 12, 2007, Defendant GU designed and tested a spearphishing message.
e. On or about February 20, 2008, Defendant SUN created an e-mail account using the misspelled name of a person with the initials e.G., who was then a member of Alcoa’s Board of Directors (the “C. G. Spearphishing Account”).
f. On or about February 20, 2008, Defendant SUN, using the C.G. Spearphishing Account, transmitted e-mail messages with a file named “agenda.zip,” which contained malware, to approximately 19 Alcoa employees.
That is a pretty detailed description of how a spearphishing cyber attack works. Captain Jack was just doing his job as a military hacker, just following orders to steal secrets from U.S. corporations so that the Chinese government can give their state sponsored business an unfair advantage.
A little research shows that the member of Alcoa’s Board that Jack Sun pretended to be was a brand new board member, a business celebrity at that, and one who has an oddly spelled name, Carlos Ghosn. Jack Sun did his social engineering background work very well. Ghosn was the perfect new guy to impersonate. All they had to do was trick one naive Alcoa employee to click on a mail attachment that supposedly came from Ghosn, or was it Ghosen? Oh well, he’s the new boss, so we had better click on the agenda items attachments that he sent to us. And that they did. The DOJ indictment does not reveal how many were so tricked, but it only takes one.
The indictment also describes another successful spearphising campaign against U.S. Steel, but with fewer details. All we know is the counterfeit email with malware attachment supposedly came from the CEO. Jack Sun sent the email to twenty U.S. Steel employees, and at least one of them fell for it and opened the virus ridden attachment. Who has the guts to ignore a direct request from the CEO? Very clever again Captain Jack.
What happened to Alcoa and U.S. Steel could have happened to any organization. A cybersecurity consulting firm, CrowdStrike Inc., has found that between 5% to 10% of employees will click on almost any email. Alleged Chinese Hacking: Alcoa Breach Relied on Simple Phishing Scam. This kind of statistic is ridiculous. Our employees really need to be trained not to be so gullible. Everyone needs basic cybersecurity training in today’s world.
Even our senior military officers are vulnerable to tricky social engineering, as I will explain next. Most of the older CEOs and military officers are, like most of my generation, clueless when it comes to technology and the Internet. One has only to think of the recent scandal with David Petraeus, CIA Director, and four-star general whose unencrypted, sex-filled, webmail showed he was carrying on an extramarital affair with his biographer.
Train All Employees in Cybersecurity, Including Especially Social Engineering Threats
The DOJ says indictment does not specifically identify who was tricked by Sun, no doubt to avoid unnecessary public disclosure and embarrassment, but does say the phishing emails were sent to 19 senior Alcoa employees. I am willing to bet that included one or more administrative assistants to top officers of the corporation. They are the ones used to receiving emails like this pertaining to agenda items. They are also the ones most likely to open attachments for their boss. Maybe it went to some V.P.s, and they forwarded it to their assistants to deal with it. They did not want to be bothered with attachments and such. Or maybe their assistants screen all of their email for them. Believe it or not, this is still common on the senior level for people my age or older.
My email observations are based on very long experience with business email. Due to my peculiar background as a computer hobbyist and a lawyer, I have probably used business email longer than most everybody else still practicing in the legal world. Remember The Source and Compuserve? I used those for online communications when they were dial-up BBS systems in the early 1980s. That was way before the Internet was opened for non-academics. I remember when sending computer mail or text messages for communications with a client was considered very exotic. We would anxiously wait for confirmation that the message was received. I remember the same for faxes too, but that’s another story.
The observation on secretaries screening email for bosses is also in accord with the experience of Kevin Haley, director of Symantec Corp.’s Security Response team. As the previously cited Bloomberg article mentioned, personal assistants are a prime target because they have access to key information and are opening email attachments all day. This is one reason that Kevin Haley recommends that all employees be required to receive cybersecurity training.
Training, especially in social engineering, should include the top brass too, the C-Suite. This point was recently proven by one of the largest, ongoing social engineering cyber attacks yet discovered. This one was orchestrated by the Iranian government. The hack attack was discovered by a private cybersecurity consulting firm, iSight Partners. The Iranians were able to trick many leaders, including a four-star Admiral in the U.S. Navy. They did so over three years with an elaborate Facebook friending and fake newscaster scheme. Iranian hackers ‘friended’ four-star U.S. admiral on Facebook to steal data using social media espionage.
Can you believe it? One of our four-star Admirals was tricked by fake Facebook pages and friend requests into revealing secrets to the Iranians. Hey, fellow senior citizens, especially you generals and admirals – just say no! You don’t need online friends any more than you need sexy biographers. Take our national security more seriously than that.
Our four star Admiral was not the only gullible victim in the Iranian online fraud attack. According to the Reuters report, hackers used 14 fake online personas to make connections with more than 2,000 people. Then the hackers targeted several hundred high-ranking individuals to get them to visit poisoned website or open malware ridden attachments. The top brass targeted included the famous admiral (identity not yet revealed), U.S. lawmakers, U.S. ambassadors, and personnel from several other countries. Our fearless leaders are the biggest fish of all to target. Somebody should make them attend full cyber training.
Congress is the only one with the power to do that. Perhaps they should pass a law requiring all military officers and high-ranking government officials to take basic cybersecurity training. Then they should be subject to random pentesting after that, as I will described in more detail in my conclusion. I do not care about generals and admirals failing a drug test, or a sex test, but failing a pentest, well, that really worries me.
Law Firms Are Targets Too
Law firms are all run my lawyers about my age; great lawyers all, but most of them are quite naive when it comes to technology and cybersecurity. As Alan Brill of Kroll is known for saying, a popular cybersecurity myth in most corporations is that “we are not a target.” He “mostly hears it from victims” and “they are usually wrong.” Law firms are targets, just like every other organization in the world.
The nickname of phishing aimed at lawyers is called Shark Phishing, a tip of the hat to our evil reputation. All lawyers are under constant attack, most likely by simple criminals, but you never know. In my world, several emails a week slip through my firm’s spam filter and I see urgent pleas for help. It is usually from people I do not know that seek my legal services for something or another. They may claim to be seeking help for payment of child support. Think of the hungry children that need your help! The emails are often personalized and mention my name in the body of the email. They may also claim to be owed money by a U.S. corporation, or otherwise need a lawyer to close on a deal or get a big inheritance. They may claim to come from a CEO of a foreign company or from another lawyer. Often the emails are accompanied by attachments that supposedly explain their problem.
I know that all lawyers everywhere get this kind of malware junk mail every day just like I do. They are very adept at fooling spam filters. I do not think twice. I mark as spam, delete, and move on. Sometime I will read the pitch for my own perverse enjoyment. They can be very clever, in an evil sort of way. Look, if you wish, but do not click. Never, never open the attachments, or click on any links. And do not respond in any way. It may not be the now indicted Captain Jack doing his job as an industrial espionage hacker, but it is certainly is not a real client. It is some kind of hacker crook after your money or your client’s secrets.
Once any lawyer takes the bait and responds to the email, or clicks on link, an elaborate fraud starts. It usually results in either a bounced check to you, and loss of your money, or release of malware. Sometimes you will get both. You will not get a client anymore than our four-star Admiral got a real Friend on Facebook. I have heard of several law firms losing hundreds of thousands of dollars in these scams. They usually involve their bank accounts. Sometimes the banks will reimburse them, but more and more lately, they will not. Yes, lawyers, sharks or not, can be quite gullible and fall for various social engineering fraud tricks just like everyone else.
Common Sense Advice on How to Avoid Phishing Frauds
The basic advice is really very simple. Never click on a link or download an attachment in an email unless you are absolutely sure that they are legitimate. The same goes for or a text message or other kind of online communication. If you have any doubt at all, do not do not click it. Do not be a victim. Remember spoofing too. Just because an email is apparently from someone you know and trust, like your banker for instance, does not mean that it is legitimate. It is easy to copy logos and even set up fake websites. Inspect carefully the email address that an email is sent from. That will often reveal the fraud. But even if all looks legit, still resist the urge to click. Why, for instance, would your banker or broker send out an email like that?
Bottom line, never click on a link, or download an attachment, unless you have independently verified the identity of the person who claims to have sent you the message. You can do so through a telephone call, text message, or email. You cannot get a virus by calling your banker or broker or friend. Verify that they actually sent you the email with attachment or link. Like Reagan said, trust but verify.
Further, you should always make sure that your anti-malware software and anti-virus software is up to date. Even though your security software is not effective against the very latest malware programs, it can still catch many of the older known viruses out there.
For a good source of information on all of this see the Anti Phishing Working Group, APWG is, in its own words, a global industry, law enforcement, and government coalition focused on unifying the global response to cyber crime through development of data resources, data standards and model response systems and protocols for private and public sectors. As a semi-humorous interlude, you also might want to click on this YouTube video on phishing.
Another useful article on how to avoid phishing attacks was written by Rebecca Greenfiled in 2013: How to Avoid Getting Spear-Phished by China’s Hackers Who Cracked Apple. She came up with six common sense steps to avoid being a spearphishing victim.
Step 1: Understand the Difference Between Phishing and Spear-Phishing.
Phishing attacks are the more blatantly malicious. They are emails that pretend to come from big organizations, like your bank or broker. They are form emails from generic addresses and are sent to thousands of in-boxes. They are not custom designed, and instead rely on quantity. The bad guy hopes that a few out of thousands will be dumb enough to click a malicious link or download an infected file. Spear-phishing, on the other hand, targets a small group of specific users. As security firm Norton explains:
Spear phishing is an email that appears to be from an individual or business that you know. But it isn’t. It’s from the same criminal hackers who want your credit card and bank account numbers, passwords, and the financial information on your PC.
This is more fully explained with examples by ComputerWorld’s Gregg Keizer in a 2011 post. Spearphishing emails are designed to look like they come from colleagues or friends. They also tend to include personalized touches, which again Norton explains on its site:
The salutation on the email message is likely to be personalized: “Hi Bob” instead of “Dear Sir.” The email may make reference to a “mutual friend.” Or to a recent online purchase you’ve made. Because the email seems to come from someone you know, you may be less vigilant and give them the information they ask for.
Step 2: Check the Sender’s Full Email Address
The full email address of the sender will often reveal that it does not exactly match with the supposed sender. The cyber-security firm Mandiant used this example when describing another spear fishing attackby the same Chinese “Comment Crew” back in 2012. In this attack the hackers tried to exploit the name of the CEO of Mandiant, Kevin Mandia.
Apart from the dubious details click here line in this email, it looks like a bona fide message from Mandiant’s CEO – firstname.lastname@example.org. But think about it. Why would the CEO of Mandiant, a major corporation in the security field, be using a Rocketmail account to discuss a press release? He wouldn’t. Still, maybe some that know him might think he had a new personal email account, and was using it instead of the corporate account for some reason. You should not click on that email until you first check with Kevin.
Step 3: Remember That Hackers Can Email Back, Too.
One obvious way to test a suspicious email is to respond to the sender. But that often will just lead you right make to the fraudster, hacker. According to the Mandiant report, one of their experts as a test wrote back to one of the Chinese hackers and said: “I’m not sure if this is legit, so I didn’t open it.” Within 20 minutes, the hacker from Unit 61398 responded back: “It’s legit.” The correct way to double-check the legitimacy of a sender is to contact the “friend” in a separate email, via phone, or by any other means. Do not just reply.
Step 4: Check the Attachment File Type Closely.
According to the Mandiant report, most spear-phishing files come in .zip format. Still, the clever hackers will sometimes dress up Zip files as PDFs in disguise. They do it like this:
That looks like a standard .pdf file, and has the little Adobe icon, but the little ellipses give it away. Again, according to the Mandiant report, the file name continues after the PDF extension to include 119 spaces followed by .exe. Pretty tricky of these Unit 61398 military hackers, eh? I hope our military cyber teams are as good or better at spying on state, military secrets. Although, the U.S. military, unlike the Chinese, does not steal trade-secrets to benefit purely commercial interests. That’s the government’s story anyway, and I for one am inclined to believe it.
Step 5: Check for Vague Filenames.
While spear-phishing emails are usually very personalized, the message content, and infected file names, tend to be fairly generic. Something like “updated_office_contact.zip” is common. The file names also tend to include military, economic, and diplomatic themes, largely because of the kind of organizations that military hackers attack. Criminal hackers, the ones who are just in it for the money, tend to have other investment and business type themes. They may suggest that you open an attached marketing plan pertaining to a new product you are working on.
Step 6: Be Paranoid.
Rebecca Greenfiled‘s last recommendation is from a security research report by the Georgia Tech Research Institute (GTRI), featuring the work of Andrew Howard, their malware expert and Chief of Emerging Threats and Countermeasures, who said:
Spear phishing is the most popular way to get into a corporate network these days. Because the malware authors now have some information about the people they are sending these to, they are more likely to get a response. When they know something about you, they can dramatically increase their odds.
The success of spear phishing attacks depends on finding the weakest link in a corporate network. That weakest link can be just one person who falls for an authentic-looking email.
Organizations can spend millions and millions of dollars to protect their networks, but all it takes is one carefully-crafted email to let someone into it.
As to what to do about it, Howard is working on new types of AI based phishing detection software. It sounds much like predictive coding for malware and phishing. But in addition to that, Howard recommends a healthy dose of paranoia:
It’s very difficult to put technical controls into place to prevent humans from making a mistake. To keep these attacks out, email users have to do the right thing every single time. Users are the front line defense. We need every user to have a little paranoia about email.
In addition to the good advice of Rebecca Greenfiled and Andrew Howard, I strongly recommend employee training as a key component of cybersecurity. So to do many others, including PhishMe.com, which offers employee training in phishing avoidance. I also suggest companies do random pentesting to reinforce that training. The penetration attempts should focus on social engineering techniques against employees, including especially phishing and spearphishing. That would be a good way to reinforce a healthy paranoia, but not too much paranoia such that no work gets done. After all, we do have to send and receive email attachments all of the time, even when on vacation.
The company should start by requiring training of all employees — high and low, no exceptions. The CEO should have to attend training, as well as the receptionist. After that, the company CISO should contract with white hat hackers to do approved spearphishing. The tests would be unannounced, of course, and ongoing. Not one and done. The tests would feature clever social engineering hacks, including especially phishing and spear phishing, but would also include some bonafide email tests with links and attachments.
The goal would be to reinforce healthy paranoia, but, at the same time, make sure that employee paranoia is not too intense, such that it is interfering with efficient operations. It is a difficult line to draw, but necessary. In my opinion, this would be great fun to test; far better that the many law school exams I given and graded. Designing a special spearphish for the CEO or Admiral would be especially entertaining.
Only the employees who failed a surprise pentest would have to endure further retraining. You know, the employees who were either fooled into taking the bait, and downloading virus, or were too paranoid, or too lazy, to open a valid attachment needed for work. Some attachments might require the tested employees to make a call first. Some may not.
This kind of pentesting would be a relatively easy but effective way to strengthen the weakest links in every organizations cybersecurity. If someone fails time and time again, even after counseling and retraining, well, maybe they should find another job. That should work, that is, unless they are a four-star admiral. ¯\_(ツ)_/¯
This means that even CEOs of companies should be tested and objectively graded by a third-party. Maybe every Board of Directors should require that, or every insurer. Maybe Congress and the Pentagon should require such training and tests of military officers. You should not get promoted unless you have good pentesting scores. The same requirements should apply to anyone who has a secrecy clearance of any level, including members of Congress and their staff.
If you want more information to assist you in designing a cybersecurity training program for your employees, just click here.