Suspicious feeling leads IT’s Susan Green to report targeted attack
Maybe it comes from working for 15 years in Berkeley Lab’s IT Division, but administrative assistant Susan Green likes to keep a close eye on her email, even those messages that end up in her spam folder. On Jan. 25, she saw a message announcing an update to Berkeley Lab Gmail and opened the message. Inside, the text looked legitimate, but the return address caught her attention.
“Although it read like a normal memo, it didn’t seem quite right – it didn’t have an lbl.gov address,” Green said. “I noticed the word ‘lawyer’ in the email address, which wasn’t right.”
Instead of clicking on the link in the message – and since the message mentioned Gmail – Green took it to another IT employee, who was on a conference call. Green showed it to another IT manager, but was worried that she might be making a big deal out of nothing. But then the IT manager asked her to forward the message and they found a sophisticated attack targeting specific Lab employees.
“They took the legitimate Lab logon page, duplicated it exactly, and rehosted it on another server,” said Jay Krous of the Computer Protection Program. “We saw that they took the time to craft it specifically for LBNL folks – it wasn’t like the usual bank scams with misspelled words. In fact, they used the same words as are on our website. That’s when we went into alarm mode.”
The Computer Protection Program team immediately blocked access to the server from the lab, then went to work finding out who received the message. In all, 363 employees were targeted. And what they all have in common is that they buy airline tickets and make travel arrangements.
Apparently the people behind the attack hoped to obtain the employee credentials and purchase tickets on small foreign airlines – airlines that allow purchasers to return unused tickets for cash.
It turns out the targeted phishing attack had been tried in the exact same way against a number of other .edu sites. Another sign of the attack’s sophistication is that the subject line varied and the messages came from two different addresses, making it harder to block.
“People reporting these malicious email are an important part of our protection strategy. Thanks to Susan following her intuition, we were able to block this early, and no one at the lab logged into the fake site,” Krous said. “It’s important that employees alert us as soon as they see something that doesn’t seem right – the sooner we hear about it, the sooner we can block it.”
Krous said employees should report malicious emails targeting their UC, DOE, or Berkeley Lab affiliations to email@example.com. And, of course, use caution with messages or attachments that are from people you don’t know or that you aren’t expecting.
For more cyber security information, visit the Berkeley Lab Computer Protection Program web site. For more information and examples of targeted phishing you can go here.