[ISN] DOD battles spear phishing

From: InfoSec News (alerts@private)
Date: Tue Dec 26 2006 - 22:13:43 PST


http://www.fcw.com/article97186-12-26-06-Web

By Bob Brewin
Dec. 26, 2006

The Defense Department is battling a significant and widespread effort 
to penetrate DOD information systems with sophisticated, targeted, 
socially engineered e-mail messages in a technique known as spear 
phishing, according to internal documents.

The Joint Task Force-Global Network Operations (JTF-GNO) warned DOD 
users last month in an internal presentation that everyone within DOD is 
a spear phishing target. Attempts have been made against all ranks in 
all services in all geographic locations. DOD civilians and military 
contractors have also been hit by spear phishing attacks, the JTF-GNO 
presentation states.

The Defense Security Service (DSS), which supports contractor access to 
DOD networks, said in a bulletin sent to contractors in October that 
JTF-GNO has observed tens of thousands of malicious e-mails targeting 
soldiers, sailors, airmen and Marines; U.S. government civilian workers; 
and DOD contractors, with the potential compromise of a significant 
number of computers across the DOD.

U.S. Forces Korea echoed this warning in a recent information assurance 
alert. It warns that outsiders target its information systems on a daily 
basis by phishing and spear phishing attacks, which attempt to gain 
access to operational and personal information through bogus e-mail 
messages.

At this point, the true scope of compromise and exploitation is unknown, 
but likely thousands more users and computers have been, or will be, 
successfully targeted, the bulletin states.

The bulletin adds that the sophistication of the techniques spear 
phishers use is reflected in their ability to obtain and apply 
legitimate DOD documents and data. The spear phisers also use enticing 
subject lines related to legitimate operations, exercises or military 
topics.

The U.S. Forces Korea information assurance alert states that 
unsolicited e-mail messages lure unsuspecting users to click on links to 
Web sites or attachments that download malicious software, known as 
malware, onto the system to steal data, including sensitive but 
unclassified information.

JTF-GNO illustrated the sophistication of spear phishing attacks DOD 
faces in a DOD Spear Phishing Awareness Training presentation obtained 
by Federal Computer Week. That presentation shows a faked message that 
appears to come from the operations division at the Pacific Command 
(Pacom) with a PowerPoint attachment concerning the Pacom Valiant Shield 
exercise held this summer.

But the seemingly legitimate address and PowerPoint slides were fake, 
and clicking on the attachment would launch malware that could infect 
the users computer, the JTF-GNO presentation warned. All DOD employees 
and contractors must spear phising awareness training by Jan. 17, 2007, 
according to internal DOD messages.

JTF-GNO acknowledged its spear phishing challenges in its awareness 
presentation which states, The attacker selectively chooses the 
recipient (target) and usually has a thorough understanding of the 
targets command or organization.

Spear phishing e-mail messages appear genuine, have legitimate 
operational and exercise names, and may address the recipient by name 
and use internal lingo and jargon, the JTF-GNO presentation states.

Last month, JTF-GNO mandated use of plain text e-mail. HTML messages 
pose a threat to DOD because the code can contain spyware, and in some 
cases, could contain executable code that could enable intruders to 
access DOD networks, a JTF-GNO spokesman said.

The department also beefed up its network security and e-mail security 
in November with a new generation of Common Access Cards, which include 
public-key infrastructure to access e-mail. DOD users are also supposed 
to digitally sign their e-mail messages.

But the JTF-GNO spear phishing awareness presentation makes it clear 
that technology alone will not defeat the threats spear phishing pose. 
JTF-GNO instructed DOD e-mail users to ensure that the source is 
legitimate and the message is digitally signed before they click on any 
link in a message or open an attachment.

E-mail messages from organizations or individuals outside DOD should be 
viewed with caution, the JTF-GNO presentation states, and DOD e-mail 
users should be suspicious of their formats and attachments.

DOD spokespeople have declined to identify the sources behind the spear 
phishing attacks or e-mail messages infected with malware. But in a 
presentation to the AFCEA LandWarNet conference this summer, Lee LeClair 
of the Armys Network Enterprise Technology Command/9th Signal Command 
said U.S. military networks are faced with attacks by state-sponsored 
teams that control botnets and engage in spear phishing.

Jessica Kalish, a spokeswoman at iS3, which sells anti-phishing 
software, said lone hackers do not carry out spear phishing attacks. 
They are mounted by criminal enterprises, terrorist organizations, 
malcontents or espionage operations, she said.

Spear phishing attacks are often enabled by spyware installed on a users 
PC, which can, for example, capture keystrokes that indicate a target is 
working on Valiant Shield, Kalish said. The attacker then crafts a fake 
PowerPoint attachment loaded with malware, which is launched when 
clicked by the unsuspecting recipient.

Kalish said the Anti-Phishing Working Group has developed a database of 
phishing attacks that can help defend against spear phishing, but only 
after it identifies an attack. Kalish said iS3s Stopzilla anti-spyware 
and anti-phising software uses heuristics to proactively identify 
potential spear phishing attempts.

Stopzilla warns users about potential fake Web sites or attachments 
packed with malware before a user clicks through and launches a 
dangerous program, Kalish said.

Max Caceres, director of product management at Core Security 
Technologies, which sells software used by DOD and other federal 
agencies to test how their employees resists spear phising attacks, said 
the wide range of information available online makes it easy to gain 
inside knowledge of an organization and craft targeted attacks.

Core Security Technologies has never failed in its spear phishing tests 
against large organizations, Caceres said, an indication of the task DOD 
faces as it attempts to battle its latest network threat. The human 
factor which requires e-mail users to carefully examine their messages, 
plays a critical role in defeating spear phishing, Caceres said.

The JTF-GNO spokesman is on holiday leave this week and did not respond 
to detailed questions from FCW on the breadth of spear phishing attacks 
against DOD. A Pentagon spokesman deferred to JTF-GNO to answer an FCW 
query.


_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 



This archive was generated by hypermail 2.1.3 : Tue Dec 26 2006 - 22:25:10 PST