Overview
Spam, phishing, and targeted phishing require different handling.
Spam
If you receive spam, please use the Gmail interface to mark as spam and improve filtering going forward.
Some spam messages include instructions for supposedly removing your address from the mailing list. This will purportedly stop spam from that spam source. However, if you follow the instructions, chances are you are only making matters worse. Spammers use the removal replies to confirm addresses to receive even more spam.
Phishing
If you receive a phishing email, please use the Gmail interface to report the phishing email.
Phishing typically involves attempts to acquire sensitive information, such as usernames or passwords. Phishing attempts frequently attempt to trick you into visiting an invalid website. For example, many phishing attempts redirect you to sites that appear to be eBay, Citibank, or PayPal, but are actually not. The phishers are trying to trick you into typing your username, password and other sensitive information into these invalid website's. The phishers would then steal your username and password to use on the real eBay, Citibank, or PayPal.
Targeted Phishing
If you receive a targeted phishing email, please immediately report it to [email protected]
If you receive an email that looks suspicious, asks for information or action, and is specifically targeted at you in the context of your affiliation with Berkeley Lab, UCB, UC, or DOE, please forward it as an attachment to [email protected]. The email may refer to familiar scientific projects, conferences, or experiments and may appear to come from colleagues, your supervisor, or even lab management. The attackers craft these messages to trick you into clicking a malicious attachment or link.
The best defense for these attacks is to be aware of the attack methodology, remain vigilant, and report anything suspicious.
See the social engineering page for more information.
Examples
| Mark as Spam | Mark as Phishing | Send to [email protected] |
| Vendor marketing emails | Paypal or Wells Fargo Phishing | Email from "IT helpdesk" asking for your password |
| Email with instructions to make you rich | Your mailbox is full | Email about a purchase order (PO) you are not familiar with |
| Pseudoscience gibberish | Any email that links to a fake login page | Spoofed email from your manager asking you contact her |
Targeted Phishing Examples
Below are examples of targeted phishing attacks seen against Berkeley Lab with commentary to assist you in avoiding similar attacks.
Example 1
In this example, the attacker sends a message from a fake address of a lab senior manager.
From: [email protected]
Subject: FW: Agenda
Body: This below agenda just came in form from Susan, please look at it.
>From: Norris, Susan (ORO)
>To: Manager, Senior; Rabovsky, Joel MJ
>Subject: Agenda
>Thanks, nice to know that you all care this so much!
>
>Susan Norris
>[email protected]
Attached: Agenda Mar 4.pdf
This attack was sent to 19 lab employees from an account created by the attacker to look like a senior managers Gmail account. Berkeley Lab is moving to Gmail, but all Berkeley Lab email accounts will remain @lbl.gov, not @gmail.com. The attacker's email contains a fake forwarded email with a malicious pdf file. If you opened this file with an unpatched version of Adobe Reader, your computer would be compromised.
Example 2
In this example, the attacker sends a message related to a conference. It is even possible you recently attended this conference. Attackers have been known to create target lists from conference attendee lists.
Subject: AIAA ASM Meeting in Reno
Body: Dear Solid Rockets Technical Committee Members,
Attached is the agenda for our upcoming meeting in Reno. Please let me know whether
or not you will be attending so that we can get a proper head-count for the dinner on Tuesday.
Attached: agenda.exe
Attackers prey on your curiosity. You may have an affiliation with this organization, you may not. Either way, you probably want more information. What is this conference? Where is it? Why am I getting this email? The attackers want you to think there is more information in the attachment. In fact, the attachment is a virus.
Example 3
In this example, the attacker sends a vague message about needing a project number.
Subject: Please send me a number for the following project.
Body: Attached is the file to use.
Attached: project.mdb
The vagueness of the message is part of the allure. You need more information. You hope there is more information in the attachment. In fact, project.mdb is a virus. What is unique about this example is the usage of a .mdb (Microsoft Access) file. Commonly malware is .exe or .zip files, but you should be aware malware can take many forms. At Berkeley Lab we have seen attacks using Microsoft Word (.doc), Microsoft Excel (.xls), Microsoft Access (.mdb), images (.jpg), HTML (.html), and Adobe Acrobat (.pdf) files.
Example 4
In this example, the attacker purportedly met you at a recent conference and is seeking employment.
Subject: AIAA Conference
Body: My name is xxxx xxxxx and I met you at the 42nd AIAA Joint Propulsion Conference last month.
I have both a M.A.Sc. and a B.Eng. in Aerospace Engineering Propulsion Systems. Currently I work as
...blah blah... In the meantime, I provide you a link to my resume for your review.
Attached: www.rocketscience.org/xxxxx/resume.doc
The important part of this example is to note the virus is not actually attached to the message. In fact, the virus is on some web page. The email provides a link to the virus. This attack is designed to bypass the virus filters that email is subjected to before being delivered. There is less scrutiny of web traffic than of email attachments, so links to viruses are a common methodology.
Example 5
In this example, the attacker pretends to be from the DOE.
Subject: HSPD-12 Identification Briefing
Body: As identified by Executive and Department of Energy (DOE) orders, all DOE and National Nuclear Security
Administration (NNSA) Federal and contractor employees, and other government agency personnel detailed to
the DOE, regardless of their security clearance status, will be participating in the switch to the new
HSPD-12 badge system. The DOE HSPD-12 Identification Briefing (HIB)....
...EMPLOYEES RECEIVING THIS NOTICE ARE REQUIRED TO COMPLETE THIS BRIEFING IMMEDIATELY.
Link: http://www.energyoclc.net/HSPD12Training/
In this example the attacker appears to be pointing you to a DOE site to change your badge. Notice the URL given is not a .gov site. Also ask yourself if you had heard anything about this email before it arrived? If you have never heard of this project, it is probably a scam. In this case, the website they link to looks very official. It displays DOE banners and graphics. Notice how the attacker tries to give the message a sense of urgency. The attacker wants you to believe something needs to be done immediately. They are trying to get you to react before you think. Do not let an email such as this pressure you into clicking before you think.
Example 6
In this attack, the attackers refer to lab managers and attempt to use the recipient to spread the phish further.
From: Centers for Disease Control and Prevention <[email protected]>
Subject: Government Health Program
Body: In attention of [Real LBNL Manager] at Lawrence Berkeley Lab. Within the last few years there has been a
continue increasing of work-related diseases. A large part of interviewed personnel (about 65%) thought that
stress at work was one of the essential factors. Centers for Disease Control an Prevention (CDC) has started
a graduate program to study this issue. This is a Governmental Program and your duty is to verify that the
attachment you`ve received is complete (if not you can find it here), and forward it to all.
Link: http://www.so-me.net/class/DiseasePrevention.doc
This attack was targeted to only 6 lab employees that work with financial data. The attacker makes the message appear to come from the CDC. Notice how the attacker also refers to a lab manager to give the message legitimacy. The attacker provides a link to the document. The attacker does this because an attachment is much more likely to be caught by email virus filtering. A link is not as likely to get caught. The attacker asks the recipients to forward the message to others. The attacker is trying to leverage the 6 people to spread the malware further.
Tips
Below are tips to avoid targeted phishing attacks.
- Be wary of vague messages
- Lookout for attackers preying on your need for more information
- When viewing an email think, "could this be an attack?"
- Be suspicious of official lab correspondence not from an @lbl.gov email address
- Use extra caution with attachments you are not expecting
- Be cautious clicking links; a single click can compromise your system
- Consider picking up the phone to verify suspicious messages
- Do not forward or spread suspicious messages
- Avoid using the Internet Explorer web browser
- Ensure your anti-virus definitions are current
- Get a second opinion by forwarding as an attachment to [email protected]
Resources
A number of web resources are available to increase you skills in detecting the phishing.
- CPP has a webpage with information on common social engineering techniques
- When sending official lab email, prevent it from looking phishy
- Carnegie Mellon has a flash game to build you skills in identifying phishing
Hoaxes
If you receive a hoax, please mark it as Spam.
While the vast majority of computer security information on the Internet is accurate and useful, there are unfortunately a number of hoaxes circulating as well. For that reason, do not forward others warnings about computer viruses, Trojan horses, or any other Internet danger unless you are sure it is true.
The following website are good resources to determine if a given message is indeed a hoax.
Reporting
If you receive an email that looks suspicious, asks for information or action, and is specifically targeted at you in the context of your affiliation with Berkeley Lab, UCB, UC, or DOE, please forward it as an attachment to [email protected].
Details to help you determine between spam, phishing, and targeted phishing can be found here.
