The best defense for these attacks is to be aware of the attack methodology, remain vigilant, and report anything suspicious to cppm@lbl.gov.
Below are examples of targeted phishing attacks seen against Berkeley Lab with commentary to assist you in avoiding similar attacks.
Example 1
In this example, the attacker sends a message from a fake address of a lab senior manager.
From: Lab.senior.manager@gmail.com
Subject: FW: Agenda
Body: This below agenda just came in form from Susan, please look at it.
>From: Norris, Susan (ORO)
>To: Manager, Senior; Rabovsky, Joel MJ
>Subject: Agenda
>Thanks, nice to know that you all care this so much!
>
>Susan Norris
>norrissg@oro.doe.gov
Attached: Agenda Mar 4.pdf
This attack was sent to 19 lab employees from an account created by the attacker to look like a senior managers Gmail account. Berkeley Lab is moving to Gmail, but all Berkeley Lab email accounts will remain @lbl.gov, not @gmail.com. The attacker's email contains a fake forwarded email with a malicious pdf file. If you opened this file with an unpatched version of Adobe Reader, your computer would be compromised.
Example 2
In this example, the attacker sends a message related to a conference. It is even possible you recently attended this conference. Attackers have been known to create target lists from conference attendee lists.
Subject: AIAA ASM Meeting in Reno
Body: Dear Solid Rockets Technical Committee Members,
Attached is the agenda for our upcoming meeting in Reno. Please let me know whether
or not you will be attending so that we can get a proper head-count for the dinner on Tuesday.
Attached: agenda.exe
Attackers prey on your curiosity. You may have an affiliation with this organization, you may not. Either way, you probably want more information. What is this conference? Where is it? Why am I getting this email? The attackers want you to think there is more information in the attachment. In fact, the attachment is a virus.
Example 3
In this example, the attacker sends a vague message about needing a project number.
Subject: Please send me a number for the following project.
Body: Attached is the file to use.
Attached: project.mdb
The vagueness of the message is part of the allure. You need more information. You hope there is more information in the attachment. In fact, project.mdb is a virus. What is unique about this example is the usage of a .mdb (Microsoft Access) file. Commonly malware is .exe or .zip files, but you should be aware malware can take many forms. At Berkeley Lab we have seen attacks using Microsoft Word (.doc), Microsoft Excel (.xls), Microsoft Access (.mdb), images (.jpg), HTML (.html), and Adobe Acrobat (.pdf) files.
Example 4
In this example, the attacker purportedly met you at a recent conference and is seeking employment.
Subject: AIAA Conference
Body: My name is xxxx xxxxx and I met you at the 42nd AIAA Joint Propulsion Conference last month.
I have both a M.A.Sc. and a B.Eng. in Aerospace Engineering Propulsion Systems. Currently I work as
...blah blah... In the meantime, I provide you a link to my resume for your review.
Attached: www.rocketscience.org/xxxxx/resume.doc
The important part of this example is to note the virus is not actually attached to the message. In fact, the virus is on some webpage. The email provides a link to the virus. This attack is designed to bypass the virus filters that email is subjected to before being delivered. There is less scrutiny of web traffic than of email attachments, so links to viruses are a common methodology.
Example 5
In this example, the attacker pretends to be from the DOE.
Subject: HSPD-12 Identification Briefing
Body: As identified by Executive and Department of Energy (DOE) orders, all DOE and National Nuclear Security
Administration (NNSA) Federal and contractor employees, and other government agency personnel detailed to
the DOE, regardless of their security clearance status, will be participating in the switch to the new
HSPD-12 badge system. The DOE HSPD-12 Identification Briefing (HIB)....
...EMPLOYEES RECEIVING THIS NOTICE ARE REQUIRED TO COMPLETE THIS BRIEFING IMMEDIATELY.
Link: http://www.energyoclc.net/HSPD12Training/
In this example the attacker appears to be pointing you to a DOE site to change your badge. Notice the URL given is not a .gov site. Also ask yourself if you had heard anything about this email before it arrived? If you have never heard of this project, it is probably a scam. In this case, the website they link to looks very official. It displays DOE banners and graphics. Notice how the attacker tries to give the message a sense of urgency. The attacker wants you to believe something needs to be done immediately. They are trying to get you to react before you think. Do not let an email such as this pressure you into clicking before you think.
Example 6
In this attack, the attackers refer to lab managers and attempt to use the recipient to spread the phish further.
From: Centers for Disease Control and Prevention <programs@cdc.govname>
Subject: Government Health Program
Body: In attention of [Real LBNL Manager] at Lawrence Berkeley Lab. Within the last few years there has been a
continue increasing of work-related diseases. A large part of interviewed personnel (about 65%) thought that
stress at work was one of the essential factors. Centers for Disease Control an Prevention (CDC) has started
a graduate program to study this issue. This is a Governmental Program and your duty is to verify that the
attachment you`ve received is complete (if not you can find it here), and forward it to all.
Link: http://www.so-me.net/class/DiseasePrevention.doc
This attack was targeted to only 6 lab employees that work with financial data. The attacker makes the message appear to come from the CDC. Notice how the attacker also refers to a lab manager to give the message legitimacy. The attacker provides a link to the document. The attacker does this because an attachment is much more likely to be caught by email virus filtering. A link is not as likely to get caught. The attacker asks the recipients to forward the message to others. The attacker is trying to leverage the 6 people to spread the malware further.
Below are tips to avoid targeted phishing attacks.
A number of web resources are available to increase you skills in detecting the phishing.
If you receive an email that looks suspicious, asks for information or action, and is specifically targeted at you in the context of your affiliation with Berkeley Lab, UCB, UC, or DOE, please forward it as an attachment to cppm@lbl.gov.
Details to help you determine between spam, phishing, and targeted phishing can be found here.
