The phishing emails may refer to things that seem relevant to your work or research. This is not coincidence, but rather by design. The attackers craft the messages to have the maximum chance of fooling you. For example, many of these emails refer to specific scientific projects, conferences, or experiments. However, the emails are not legitimate; the emails are the latest trend being utilized by cyber criminals. The emails contain malware and/or links to malware posted on websites. In most cases, this malware is too new to be detected by Anti-virus software. You cannot count on Anti-virus software to protect you from these attacks.
Below are some very specific examples of the current type of targeted phishing. These examples are taken from real attacks we have seen at Berkeley Lab. In the next section we provide tips to avoid falling victim to targeting phishing.
Example 1
In this example, the attacker sends a message related to a conference. It is even possible you recently attended this conference. Attackers have been known to base targets on conference attendee lists.
Subject: AIAA ASM Meeting in Reno
Body: Dear Solid Rockets Technical Committee Members,
Attached is the agenda for our upcoming meeting in Reno. Please let me know whether
or not you will be attending so that we can get a proper head-count for the dinner on Tuesday.
Attached: agenda.exe
Attackers prey on your curiosity. You may have an affiliation with this organization, you may not. Either way, you probably want more information. What is this conference? Where is it? Why am I getting this email? The attackers want you to think there is more information in the attachment. In fact, the attachment is a virus. If you open the attachment, your system will become infected.
Example 2
In this example, the attacker refers to a scientific experiment. This could even be an experiment with which you are familiar.
Subject: IPD Successful Ignition Test
Body: IPD successfully completed igniter test using GH2 for the first time. Unlike before, when we
burned only GO2, this time we ...blah blah... I added a picture and the word doc I have been
putting together for those who want more information.
Attached: IPD_Ignition_Test_E346C.zip
As you probably guessed by now, the attachment
IPD_Ignition_Test_E346C.zip is a virus. Keep in mind that attackers will use any information they can find against you. If the attackers know you are involved in nanoscience research, they may target you with an email referring to new research or a new finding in nanoscience.
Example 3
In this example, the attacker sends a very vague message about needing a project number.
Subject: Please send me a number for the following project.
Body: Attached is the file to use.
Attached: project.mdb
The vagueness of the message is part of the allure. You need more information. You hope there is more information in the attachment. In fact, project.mdb is a virus. If you were to open the file your system would become infected. What is unique about this example is the usage of a .mdb (Microsoft Access) file. Commonly malware is .exe or .zip files, but you should be aware malware can take many forms. At Berkeley Lab we have seen attacks using Microsoft Word (.doc), Microsoft Excel (.xls), Microsoft Access (.mdb), images (.jpg), HTML (.html), and Adobe Acrobat (.pdf) files.
Example 4
In this example, the attacker purportedly met you at a recent conference and is seeking employment.
Subject: AIAA Conference
Body: My name is xxxx xxxxx and I met you at the 42nd AIAA Joint Propulsion Conference last month.
I have both a M.A.Sc. and a B.Eng. in Aerospace Engineering Propulsion Systems. Currently I work as
...blah blah... In the meantime, I provide you a link to my resume for your review.
Attached: www.rocketscience.org/xxxxx/resume.doc
The important part of this example is to note the virus is not actually attached to the message. In fact, the virus is on some webpage. The email provides a link to the virus. This attack is designed to bypass the virus filters that email is subjected to before being delivered. The chances of this message getting through the email virus filters increase if it includes a link to the virus rather than attaching the virus. Also note the attack is a Word Document. There are vulnerabilities in many common applications, such as Word, that allow a virus to be delivered in obscured manners, such as via Word documents.
Example 5
In this example, the attacker pretends to be from the DOE.
Subject: HSPD-12 Identification Briefing
Body: As identified by Executive and Department of Energy (DOE) orders, all DOE and National Nuclear Security
Administration (NNSA) Federal and contractor employees, and other government agency personnel detailed to
the DOE, regardless of their security clearance status, will be participating in the switch to the new
HSPD-12 badge system. The DOE HSPD-12 Identification Briefing (HIB)....
...EMPLOYEES RECEIVING THIS NOTICE ARE REQUIRED TO COMPLETE THIS BRIEFING IMMEDIATELY.
Link: http://www.energyoclc.net/HSPD12Training/
In this example the attacker appears to be pointing you to a DOE site to change your badge. Notice the URL given is not a .gov site. Also ask yourself if you had heard anything about this email before it arrived? If you have never heard of this project, it is probably a scam. In this case, the website they link to looks very official. It displays DOE banners and graphics. Also notice how the attacker tries to give the message a sense of urgency. The attacker wants you to believe something needs to be done immediately. They are trying to get you to react before you think. Do not let an email such as this pressure you into thinking before your click. If you are not sure, forward the email to cppm@lbl.gov and we can ensure it is legitimate.
Below are tips and resources to assist you in avoiding targeted phishing attacks.
A number of web resources are available to increase you skills in detecting the tricks of attackers. We highly recommend the following training.
If you have questions or comments about this website, please contact the CPP group via email at cppm@lbl.gov.
If you need general computer assistance, please contact the LBNL Help Desk at x4357, help@lbl.gov, or online at http://help.lbl.gov
