Tactics

Phishers Targeting Government

By Stacey McDaniel

Phishing attacks are evolving and becoming stealthier, making it more difficult for an end user to distinguish between legitimate emails and Web pages from imposters. Phishers have even taken to sending what appear to be legitimate emails from government agencies, but are really fake messages directing the recipient to divulge personal information, or unknowingly launch a malicious payload on their computer.

This article is intended to bring awareness to this phenomenon, and explain what government agencies can do to better protect their critical infrastructure and help their employees and constituents avoid becoming victims of phishing.

Recent phishing scams
As tax season heats up, so too do phishing scams purporting to be sent by the Internal Revenue Service (IRS). Since all of us are concerned with our taxes, the fraudsters believe that an "official" notice from the IRS cannot be ignored. One phishing scam currently making the rounds is an email containing a link that supposedly allows recipients to check the status of their tax refund, but only after they provide private information. The link in the email goes to a page that mirrors the true IRS Web site, but is in fact a fake site created to collect user information.

In late 2005, another email claimed that recipients were eligible to receive a tax refund for $571.94. The email appeared to be sent from tax-returns@irs.gov with the subject line of "IRS Tax Refund." A link was provided in the email to access a form that had to be completed in order to receive the refund. The link appears to connect to the IRS Web site, but actually redirects the recipient to an entirely different Web site where personal data, including credit card information, is captured.
 
In another recent phishing scam, email messages purported to be from the FBI, with the sender's email address appearing as mail@fbi.gov, post@fbi.gov, or admin@fbi.gov. The email informed recipients that their Internet use was being monitored because they accessed illegal Web sites and was signed "Steven Allison," a supposed FBI employee. Recipients were then directed to open an attachment to answer some questions. The attachment was actually a zip file containing a variant of the Sober worm.

The nature of attacks
In October 2005, The Anti-Phishing Working Group (APWG) published a report entitled "Online Identity Theft: Phishing Technology, Chokepoints, and Countermeasures" The report began by saying that while most people believe phishers are amateur Internet criminals with a little bit of technical knowledge and too much time on their hands, in reality they are technically innovative 'professionals' and can afford to invest in the technology required for large scale attacks. The APWG has found that the most dangerous phishing attacks are carried out by organized crime, and some efforts are even targeting the United States government.

The Report found that the two most prevalent kinds of phishing are:

  • Deceptive phishing In this type of phishing, email messages are sent using corporate or other seemingly official logos containing a "call to action" that demands the recipient click on a link. The recent IRS phishing scams noted above are examples of this kind of deceptive phishing.
  • Malware-based phishing Instances of this kind of phishing, which involves running malicious software on the user's machine, are on the rise. Malware-based phishing can take many forms. Generally, the malware is spread either by social engineering or by exploiting a security vulnerability. Keyloggers are popular with phishers because these programs monitor user activity and data being input and relay relevant information to interested parties. Similarly, session hijacking is an attack in which a user's activities are monitored, typically by a malicious browser component.

The overall trend is that phishing is becoming more personalized and targeted, and that attacks are launched primarily for financial gain. Phishing scams are harder to identify because attackers are trying to use personal information such as the recipient's name in the message to make it seem legitimate. Once attackers know they have a valid email address, they attempt to find out more about the person and use this information to send highly tailored messages. For this reason, Web sites are discouraged from using email addresses as identifiers for registration IDs and password reminders.

Avoiding phishers
Recognizing a phishing email is vital in order to allow your agency time to employ countermeasures. Here are some things that your organization can do to improve responsiveness to a phishing attack and reduce potential loss with regards to both money and reputation:

  • Provide clear instructions on your Web site, and in any email communications, on how to report a phishing message. This should include an email address that users may use to report spoof emails.
  • Monitor recent domain registrations and take action against parties registering domain names deceptively similar to yours even those that might be caused by typographical errors.
  • Monitor bounced email messages. Many phishers send emails to bulk lists that include nonexistent email addresses, using return addresses belonging to the targeted institution. A flood of bounced emails can indicate that a phishing attack is under way.
  • Monitor call volumes and the nature of questions being asked. A spike in certain types of inquiries can indicate a phishing attack.
  • Monitor the use of images containing your agency's logos and artwork. Phishers will often use the target organization to host artwork that is used to deceive customers. This may be detected by a Web server via a blank or irregular "referrer" for the image.
  • Ensure that your Web site uses SSL and that all certificates are current.
  • Remove any open URL redirects from your site.

Proactive countermeasures
In addition to diligent monitoring, you should take the following steps to ensure a phishing payload doesn't reach users on your system:

  • Defense in depth This approach to security employs multiple, overlapping defense systems at client, server and gateway to guard against single-point failures in any specific technology. As phishing messages often try to trick the recipient into launching worms, viruses, Trojan horses, and other Internet threats, having up-to-date antivirus software, firewalls, and intrusion detection and intrusion protection systems on client systems is critical.
  • Email filtering Use a solution that includes antifraud filters that will detect and block known phishing messages at the server level so they never reach your users' inboxes.
  • Domain level authentication Verifying the actual origin of an email message should provide some protection from phishers who are spoofing mail domains.
  • Education Ensure that your employees and constituents are educated about phishing in general, and are advised about the latest phishing scams and how to avoid falling victim to them.

Conclusion
Government organizations can't afford to be a target for phishers. Phishers are generally not motivated by curiosity but by profit. That profit is derived in part by improperly obtaining classified or personal information and in part by exploiting that information for other nefarious gains. By taking steps now to ensure your agency is not unexpectedly involved in a phishing attack you can help keep the data that resides on your systems secure and private.

Stacey McDaniel has been writing about high-tech issues for more than six years.

ADVERTISEMENT

Fast Fact

"In late 2005, another email claimed that recipients were eligible to receive a tax refund for $571.94. The email appeared to be sent from tax-returns@irs.gov with the subject line of "IRS Tax Refund."

Podcast Audio Content

CIO Strategy Center is now available in audio format.

This week's feature topic is:

Risks of Wireless Email

Playtime: 8 min 23 sec

Download | Subscribe