The phishing emails may refer to things that seem relevant to your work or research. This is not coincidence, but rather by design. The attackers craft the messages to have the maximum chance of fooling you. For example, many of these emails refer to specific scientific projects, conferences, or experiments. However, the emails are not legitimate; the emails are the latest trend being utilized by cyber criminals. The emails contain malware and/or links to malware posted on websites. In most cases, this malware is too new to be detected by Anti-virus software. You cannot count on Anti-virus software to protect you from these attacks.
Below are some very specific examples of the current type of targeted phishing. These examples are taken from real attacks we have seen at Berkeley Lab. In the next section we provide tips to avoid falling victim to targeting phishing.
Example 1
In this example, the attacker sends a message related to a conference. It is even possible you recently attended this conference. Attackers have been known to base targets on conference attendee lists.
Subject: AIAA ASM Meeting in Reno
Body: Dear Solid Rockets Technical Committee Members,
Attached is the agenda for our upcoming meeting in Reno. Please let me know whether
or not you will be attending so that we can get a proper head-count for the dinner on Tuesday.
Attached: agenda.exe
Attackers prey on your curiosity. You may have an affiliation with this organization, you may not. Either way, you probably want more information. What is this conference? Where is it? Why am I getting this email? The attackers want you to think there is more information in the attachment. In fact, the attachment is a virus. If you open the attachment, your system will become infected.
Example 2
In this example, the attacker refers to a scientific experiment. This could even be an experiment with which you are familiar.
Subject: IPD Successful Ignition Test
Body: IPD successfully completed igniter test using GH2 for the first time. Unlike before, when we
burned only GO2, this time we ...blah blah... I added a picture and the word doc I have been
putting together for those who want more information.
Attached: IPD_Ignition_Test_E346C.zip
As you probably guessed by now, the attachment
IPD_Ignition_Test_E346C.zip is a virus. Keep in mind that attackers will use any information they can find against you. If the attackers know you are involved in nanoscience research, they may target you with an email referring to new research or a new finding in nanoscience.
Example 3
In this example, the attacker sends a very vague message about needing a project number.
Subject: Please send me a number for the following project.
Body: Attached is the file to use.
Attached: project.mdb
The vagueness of the message is part of the allure. You need more information. You hope there is more information in the attachment. In fact, project.mdb is a virus. If you were to open the file your system would become infected. What is unique about this example is the usage of a .mdb (Microsoft Access) file. Commonly malware is .exe or .zip files, but you should be aware malware can take many forms. At Berkeley Lab we have seen attacks using Microsoft Word (.doc), Microsoft Excel (.xls), Microsoft Access (.mdb), images (.jpg), HTML (.html), and Adobe Acrobat (.pdf) files.
Example 4
In this example, the attacker purportedly met you at a recent conference and is seeking employment.
Subject: AIAA Conference
Body: My name is xxxx xxxxx and I met you at the 42nd AIAA Joint Propulsion Conference last month.
I have both a M.A.Sc. and a B.Eng. in Aerospace Engineering Propulsion Systems. Currently I work as
...blah blah... In the meantime, I provide you a link to my resume for your review.
Attached: www.rocketscience.org/xxxxx/resume.doc
The important part of this example is to note the virus is not actually attached to the message. In fact, the virus is on some webpage. The email provides a link to the virus. This attack is designed to bypass the virus filters that email is subjected to before being delivered. The chances of this message getting through the email virus filters increase if it includes a link to the virus rather than attaching the virus. Also note the attack is a Word Document. There are vulnerabilities in many common applications, such as Word, that allow a virus to be delivered in obscured manners, such as via Word documents.
Example 5
In this example, the attacker pretends to be from the DOE.
Subject: HSPD-12 Identification Briefing
Body: As identified by Executive and Department of Energy (DOE) orders, all DOE and National Nuclear Security
Administration (NNSA) Federal and contractor employees, and other government agency personnel detailed to
the DOE, regardless of their security clearance status, will be participating in the switch to the new
HSPD-12 badge system. The DOE HSPD-12 Identification Briefing (HIB)....
...EMPLOYEES RECEIVING THIS NOTICE ARE REQUIRED TO COMPLETE THIS BRIEFING IMMEDIATELY.
Link: http://www.energyoclc.net/HSPD12Training/
In this example the attacker appears to be pointing you to a DOE site to change your badge. Notice the URL given is not a .gov site. Also ask yourself if you had heard anything about this email before it arrived? If you have never heard of this project, it is probably a scam. In this case, the website they link to looks very official. It displays DOE banners and graphics. Also notice how the attacker tries to give the message a sense of urgency. The attacker wants you to believe something needs to be done immediately. They are trying to get you to react before you think. Do not let an email such as this pressure you into thinking before your click. If you are not sure, forward the email to cppm@lbl.gov and we can ensure it is legitimate.
Example 6
In this example, the attack appears to be a reply to a domain registration request.
From: johnny.appleseed@gmail.com
Subject: www.vertecal.com registration
Body: Thank you for registering with vertical. Your temporary PIN is: 459578. Once you enter this PIN, you'll be
prompted to change it to a different 6-digit code of your choosing. If you encounter any difficulty with the
site registration process, please call us 24 hours a day, 7 days a week.
Link: http://www.vertecal.com/support-documentation.html
This attack was targeted to only 6 lab employees that work with financial data. This attacks represents a new evolution; all you have to do is click this link and your computer is compromised. Unlike the attacks above, you do not need to download or print anything. The attackers have placed a malicious flash file at the following URL. As soon as you click, someone else can do whatever they like on your computer. Also note how the attackers say you can call 24/7 for help. You may be tempted to let the addition of a phone contact in the email give some assurance the email is legitimate, don't!
Example 7
This is the most sophisticated attack we have seen to date.
From: Centers for Disease Control and Prevention <programs@cdc.govname>
Subject: Government Health Program
Body: In attention of [Real LBNL Manager] at Lawrence Berkeley Lab. Within the last few years there has been a
continue increasing of work-related diseases. A large part of interviewed personnel (about 65%) thought that
stress at work was one of the essential factors. Centers for Disease Control an Prevention (CDC) has started
a graduate program to study this issue. This is a Governmental Program and your duty is to verify that the
attachment you`ve received is complete (if not you can find it here), and forward it to all.
Link: http://www.so-me.net/class/DiseasePrevention.doc
This attack was targeted to only 6 lab employees that work with financial data. The attacker makes the message appear to come from the CDC. Notice how the attacker also refers to a lab manager to give the message legitimacy. The attacker asks to to verify the attachment, but there is no attachment. Instead, the attacker provides a link. The attacker does this because an attachment is much more likely to be caught by email virus filtering. A link is not as likely to get caught. Also note the link appears to be to a .doc file, but will actually download a different type of malicious file. The attacker ask the recipients to "forward it [the message] to all". The attacker is trying to leverage the 6 people to spread the malware further. Now image if someone from the lab had forwarded you this message, that would have added even another level of apparent trust for the next recipient.
Below are tips and resources to assist you in avoiding targeted phishing attacks.
A number of web resources are available to increase you skills in detecting the tricks of attackers. We highly recommend the following training.
If you have questions or comments about this website, please contact the CPP group via email at cppm@lbl.gov.
If you need general computer assistance, please contact the LBNL Help Desk at x4357, help@lbl.gov, or online at http://help.lbl.gov
