Berkeley Lab

Computer Security Annual Training (SEC 0201)

Skip to end of metadata
Go to start of metadata

Spam and Phishing

    Question

    You received the email below. How will you handle it? View the next tab for the answer.

    Subject: FW: Agenda
    From: Steven Chu steven.chu@gmail.com
    Date: Wed, 02 Mar 2011 03:21:01 
    To: you@lbl.gov
    
    This came in earlier this morning. FYI,
    
    ------- Original Message -------
    From: Morgan, Susan (ORO) [maito:smorgan@doe.gov]
    Sent: 3/2/2011 3:21:01 AM
    To: Steven, Chu; 
    Cc: Bisell, Mina; 
    Subject: Agenda
    Attachment: agenda.exe 
    
    Thanks Steven, I enjoy knowing you care about this!
    
    Susan
    
    Susan Morgan
    Manager(510) 495-2522
    smorgan@doe.gov
    

    First, you should notice several suspicious things in the email:

    1. steven.chu@gmail.com is not Steven's email - most use @lbl.gov addresses for Berkeley email
    2. The forward is fake - there is no original message.
    3. The attachment is a .exe file - executable code that infects your machine
    4. The message is vague with no background. Have you ever heard of this?

    This is an example of a targeted attack. Targeted attacks use techniques such as spam or phishing combined with details or knowledge about Berkeley Lab. Spam and phishing are methods used by attackers to fool you into providing information or taking some action. Since these attacks rely on you to work, you must be on the alert. Report targeted attacks immediately to security@lbl.gov.

    Click to view the anatomy of the attack:

    Question

    The following email was sent to collaborators at other labs. Can you identify what's suspicious about this email?

    From: adamarkin@yahoo.com
    Subject: TPS Personnel
    Attachment: tpspersonnel.xls
    
    Please view the attached for your information.
    
    Adam Arkin
    Assistant Professor of Bioengineering & Chemistry University of California,
    Berkeley College of Chemistry, Bioengineering Department Physical Biosciences
    Division Lawrence Berkeley National Laboratory
    One Cyclotron Road, Mailstop 977-152 Berkeley, CA 94720
    

    There are several things to note in this email:

    1. Once again, it's the wrong email - most use @lbl.gov addresses for Berkeley Lab email
    2. Why did this need an attachment? Were you expecting an attachment? This attachment could contain malicious code.
    3. And again, the message is vague with no specifics.
    4. However, this message used a signature that appears legitimate.

    But this attack was even more subtle than it appeared. The message was only sent to collaborators that worked at labs with sensitive research. The attackers:

    1. Found a project online with a list of participants from DOE labs.
    2. Created a fake email account under Adam's name.
    3. Sent a malicious file to the subset of participants working at sensitive labs.

    This is an example of a sophisticated targeted attack. Report it immediately to security@lbl.gov.

    Click to view the anatomy of the attack:

    Take Home

    Targeted phishing is a top attack facing Berkeley Lab - and the attacks have become very sophisticated. Attacks will reference people, conferences, and project that are familiar to you. These attacks are hard to spot and constantly evolving. And they can be part of a larger, DOE-wide attack.

    We cannot give you concrete advice to ensure that you will always detect these. If it just doesn't feel right, report it to security@lbl.gov.

    Do

    • Report targeted spam or phishing to security@lbl.gov
    • For normal spam or phishing (not targeted), use your email client to flag it as spam
    • Verify web and email addresses (e.g. make sure it's a .gov, not .com)
    • Be wary of vague messages or references to new or unknown projects
    • When viewing an email think, "could this be an attack?"

    Do not

    • Do not open attachments you are not expecting
    • Do not click on links in emails you are not expecting
    • Do not provide your username or password or any other account information via email
    • Do not download a file that ends in .exe