Threat of phishing attacks shows no signs of diminishing
A memo issued by the FBI on July 16 warning federal agencies that government employees are being targeted by a phishing campaign seeking to exploit known vulnerabilities in Adobe Flash is only the most recent indication that phishing has become a favored method of attack against government agencies. As part of their cyber-security awareness efforts, multiple agencies – led by the Department of Homeland Security’s United States Computer Emergency Response Team (US-CERT) – encourage individuals and organizations to report phishing emails, which are a common approach used by hackers to infect government systems with malware or to try to obtain personal or technical information that could be useful in other types of attacks. Network monitoring and intrusion detection and prevention systems employed by the government are often helpful in identifying signs that malware has been introduced into agency environments (such as by noting network traffic flows from government agency sources to foreign or known-to-be-bad destinations) but they don’t appear to be very effective at flagging phishing emails that trick users into clicking on links or opening attachments that cause the infection.
It should come as no surprise that government employees are targeted in phishing scams as much or more often than commercial sector workers, given that many agencies publish employee directories online that include telephone numbers and email addresses. According to research reported by threat intelligence firm Recorded Future, user information including email addresses and login credentials from 47 different U.S. government agencies can be found online. The timeframe during which this information was available spans many months predating the disclosure of the large-scale compromise of government employee and contractor information from the Office of Personnel Management (OPM).
To address to the phishing threat, many agencies are augmenting their security awareness training with exercises, often termed “phishing expeditions,” that entail sending fake phishing emails to employees and contractors and tracking how users respond. These fictional messages are specially designed to look like phishing emails and including tell-tale signs that users have ostensibly been trained to recognize as suspicious. Based on outside observation, the results appear mixed. A small but troubling minority of users (as many as 10 to 15 percent in some agencies) click on links embedded in fake phishing emails and an even smaller number take the preferred action of reporting the suspicious email to an agency’s IT group or incident response team. On a somewhat more positive note, in the wake of the OPM breach, many government employees showed a heightened level of sensitivity towards potential email-based scams when they responded with alarm to email messages they received from the contractor OPM hired to notify individuals affected by the breach, thinking that these legitimate emails were actually phishing attempts. In all likelihood many agencies, particularly in the defense and intelligence arenas, blocked these externally-sourced messages and prevented their employees from receiving them in the first place. It turns out government worker suspicions were well founded: on June 30 US-CERT issued an alert indicating the existence of phishing campaigns related to the OPM breach, presumably capitalizing on the potential confusion regarding notification to affected personnel and identity protection services being made available to them. Because the OPM hack has generally been characterized as intended to harvest personal information for future use – in subsequent spear phishing attacks or to try to coerce individuals to divulge organizational information – the added awareness of phishing attacks in the wake of the OPM incidents may serve to reduce the likelihood that employees and contractors fall for phishing attacks in the future.