Phishing attacks becoming more sophisticated

Targeted attacks, usually through e-mail messages, are “getting scarier and scarier,” former FBI computer crime investigator says.

Hostile code attached to e-mail messages is one of the most significant cybersecurity problems federal agencies face today, said an industry analyst and former FBI investigator on Tuesday.

Comment on this article in The Forum."It's getting scarier and scarier and scarier," said Michael Gibbons, principal of security and privacy services at Deloitte and former chief of computer crime investigations. "It's not a case of Chicken Little, 'The sky is falling.' The sky is actually falling [and] it's just a matter of when a piece is going to hit you on the head."

Long recognized as a serious problem, phishing attacks send messages masquerading as notices from legitimate organizations or persons to computer users, with the expectation that they will click on a link and enter personal information, such as bank account numbers or passwords. Spear phishing attacks, however, target specific individuals, frequently using their name, and are therefore harder to spot and avoid.

Phishing is the most common cyberattack that agencies experience. Of the nearly 63,000 cyber incidents reported to the Homeland Security Department's U.S. Computer Emergency Readiness Team between 2003 and 2006, almost 42,000 were phishing attempts. US-CERT was established in 2003 to coordinate the government's response to cyberattacks.

Spear phishing attacks have become more sophisticated, requiring a recipient of a malicious e-mail to do nothing more than click on a link to launch software that automatically infiltrates a network to capture personal information. In the past, spear phishing attacks required users to click on a link and then enter personal information in a specific field for the attacker to steal information.

Gibbons, who spoke on Tuesday at the Digital Government Institute's Cybersecurity Conference and Expo, noted an example of an e-mail sent to a group of defense contractors that appeared to be from a Pentagon employee. The e-mail included a spreadsheet attachment that supposedly contained procurement requirements for a variety of products. When recipients clicked on the attachment, they inadvertently launched software that attached itself to the computers and tracked users' keystrokes, providing the hacker access to all information entered into their computers, including user names and passwords.

In another example, when a user clicked on a link embedded in an e-mail, hostile code automatically linked the IP address of a legitimate Web site to a bogus one so the next time a user typed in the address, the user would unknowingly be routed to the imposter site, which requested personal information.

"With hostile code, the challenge now is that attacks are focused. They're going after heads of agencies and [administrators] of contracts," to obtain valuable information, Gibbons said. "If we worked as effectively as the hackers, we'd have real-time intelligence" to intercept these attacks. He also said agencies should provide user education and training to help employees recognize phishing attempts.