Berkeley Lab

Computer Security Annual Training (SEC 0201)

Skip to end of metadata
Go to start of metadata

Spam and Phishing


    You received the email below. How will you handle it? View the next tab for the answer.

    Subject: FW: Agenda
    From: Steven Chu
    Date: Wed, 02 Mar 2011 03:21:01 
    This came in earlier this morning. FYI,
    ------- Original Message -------
    From: Morgan, Susan (ORO) []
    Sent: 3/2/2011 3:21:01 AM
    To: Steven, Chu; 
    Cc: Bisell, Mina; 
    Subject: Agenda
    Attachment: agenda.exe 
    Thanks Steven, I enjoy knowing you care about this!
    Susan Morgan
    Manager(510) 495-2522

    First, you should notice several suspicious things in the email:

    1. is not Steven's email - most use addresses for Berkeley email
    2. The forward is fake - there is no original message.
    3. The attachment is a .exe file - executable code that infects your machine
    4. The message is vague with no background. Have you ever heard of this?

    This is an example of a targeted attack. Targeted attacks use techniques such as spam or phishing combined with details or knowledge about Berkeley Lab. Spam and phishing are methods used by attackers to fool you into providing information or taking some action. Since these attacks rely on you to work, you must be on the alert. Report targeted attacks immediately to

    Click to view the anatomy of the attack:


    The following email was sent to collaborators at other labs. Can you identify what's suspicious about this email?

    Subject: TPS Personnel
    Attachment: tpspersonnel.xls
    Please view the attached for your information.
    Adam Arkin
    Assistant Professor of Bioengineering & Chemistry University of California,
    Berkeley College of Chemistry, Bioengineering Department Physical Biosciences
    Division Lawrence Berkeley National Laboratory
    One Cyclotron Road, Mailstop 977-152 Berkeley, CA 94720

    There are several things to note in this email:

    1. Once again, it's the wrong email - most use addresses for Berkeley Lab email
    2. Why did this need an attachment? Were you expecting an attachment? This attachment could contain malicious code.
    3. And again, the message is vague with no specifics.
    4. However, this message used a signature that appears legitimate.

    But this attack was even more subtle than it appeared. The message was only sent to collaborators that worked at labs with sensitive research. The attackers:

    1. Found a project online with a list of participants from DOE labs.
    2. Created a fake email account under Adam's name.
    3. Sent a malicious file to the subset of participants working at sensitive labs.

    This is an example of a sophisticated targeted attack. Report it immediately to

    Click to view the anatomy of the attack:

    Take Home

    Targeted phishing is a top attack facing Berkeley Lab - and the attacks have become very sophisticated. Attacks will reference people, conferences, and project that are familiar to you. These attacks are hard to spot and constantly evolving. And they can be part of a larger, DOE-wide attack.

    We cannot give you concrete advice to ensure that you will always detect these. If it just doesn't feel right, report it to


    • Report targeted spam or phishing to
    • For normal spam or phishing (not targeted), use your email client to flag it as spam
    • Verify web and email addresses (e.g. make sure it's a .gov, not .com)
    • Be wary of vague messages or references to new or unknown projects
    • When viewing an email think, "could this be an attack?"

    Do not

    • Do not open attachments you are not expecting
    • Do not click on links in emails you are not expecting
    • Do not provide your username or password or any other account information via email
    • Do not download a file that ends in .exe