By David Wilson, Facility Security Officer and IT Manager
E-mail security has been identified as one of the top threats, if not the top vulnerability in government and industry cyber-security. Millions of phishing attempts are made daily by hackers, automated bots, and sophisticated programs dredging for everything from identities to steal, to confidential information and embarrassing data that could be used for blackmail. The scope and size of these operations is vast, but in recent years, a more identifiable pattern has emerged.
A recent article on MSN News from the Associated Press details how Russian hackers known by the code name “Fancy Bear” targeted a number of contractors working on militarized drones. Many of the phishing attacks you run across are easily spotted, but others play on your habits, and are better designed to appear authentic and benign. The MSN article mentioned an attack targeting a high-level Federal Aviation consultant. It appeared on his phone as a “Google security alert” with a button to click through and enter his e-mail and password to clear the error. This came at a point when he was busy and distracted, and he nearly fell into the trap.
While these sophisticated hacks are targeting personal e-mail accounts, specifically Gmail accounts, they are so prolific, they can give hackers access to a lot of information that could lead to breaches that are more serious. Casual mentions of things at work, e-mail forwarded home to be dealt with on the road, personal data and passwords that might have been stored in e-mail folders, and even sensitive personal information could lead to a means for foreign agents to perpetrate blackmail.
Not every phishing attack is ultimately evident to the user. If you give up your e-mail and password accidentally, the hacker may only access the account to read and then save the information available without leaving a trail. If that is the case, the access could continue undetected for quite some time.
One thing you can do as a company, and what we try to do regularly at VectorCSP, is to inform users about these types of attacks. Google has a number of privacy options that will prevent an unknown machine from accessing your account without your knowledge. We recommend your security standard is to always use as many levels of privacy protection as possible. The slight inconvenience of receiving a text message on your phone verifying your identity is incomparable to the inconvenience of learning, down the road, that a hacker has been accessing your email for the last year.
Some things to keep in mind: Legitimate entities like Google, Amazon, Barnes & Noble, banks, and credit card companies will never send you an e-mail with a link to a site where you must enter information. They will contact you and tell you to go to their main site and log in as you normally do to get more information. If they DO send you such a link, it is still smart to go to the main login page of the company in question and enter data through their secure portal.
Any site that collects sensitive information will have the little green padlock at the left end of your browser’s address bar. This insures that the site you are on is truly what it says it is, and that your data entry is secure. If you do not see that padlock, it is unwise to enter any e-mail address, password, or financial information.
The best defense against phishing scams is awareness. If something seems off about an e-mail, it probably is. Keep in mind that even if you are not a key person on a vital defense contract, any information, even an address book with contact information for other people such as the type Gmail maintains, can be pieced together with data gathered from other sources to expose critical information to an adversarial intruder.
The entire article on “Fancy Bear” and their hack of drone technology can be found at the following link: https://www.msn.com/en-us/news/technology/ap-fancy-bear-hackers-took-aim-at-us-defense-contractors/ar-BBIO5SB?ocid=ientp