U.S. Strategic Command

 

Spear phishers target military members at home, work

By Staff Sgt. Samuel Morse | 35th Fighter Wing Public Affairs | February 12, 2010


Information warfare was around long before the computer. Even in the days of homing pigeons, adversaries would attempt to intercept each other's messages to gain an advantage.

Today, the enemy is still trying to steal our secrets, but they have devised new methods in this age of ones and zeros. One of these methods is known as spear phishing.

Phishing is defined by Joint Task Force-Global Network Operations officials as "criminal activity using social engineering techniques. " Phishers attempt to fraudulently acquire sensitive information, such as passwords, personal information, military operations and financial details by masquerading in an e-mail as a trustworthy person or business.

Spear phishing, on the other hand, is a highly-targeted phishing attempt. A phisher often will use the victim's name, organization, and even relevant jargon to further make them think the e-mail is legitimate, said JTF-GNO officials. They will spoof who the e-mail is from, making it look like it came from a coworker or friend. There may be spelling mistakes due to third-country national origin, but for all intents and purposes, the e-mail will look legitimate.

While normal phishing is almost always for the purpose of identity theft, spear phishing on government systems is usually an attempt to gather information and intelligence. Spear phishers usually will attempt to make you open an attachment or Web link that will load malicious logic onto your computer. Often times, the malicious logic is a key logger, a program that records keys typed on a keyboard and sends the keystroke data to the phisher, said Master Sgt. Thomas Parker, the 35th Fighter Wing information assurance office NCOIC.

Government systems are not the only computers targeted in these schemes. Military members can be targeted at home as well.

"It is critical that (everyone) understand that they will not be contacted by Air Force network (specialists) to upgrade their home-use common access card software or perform other actions on their home PC," said Master Sgt. James Rowland, from 13th Air Force cyber operations. "The Air Force's policy is to post all upgrade notices for the Common Access Card Home Use Program on the AF Portal. Download of the program and updates should only be accomplished via the AF Portal home page. "

Sergeant Parker also said the best way to make sure an e-mail is authentic is to look for a digital signature. To his knowledge, phishers have yet to find a way to spoof a digital signature from a trusted site. He encourages all network users to digitally sign and encrypt their e-mails. If someone is unsure of how to do this, he or she can contact a local information assurance officer.

Another protective measure is to look for tell-tale signs of a fake e-mail. A lack of proper "For Official Use Only" tags, misspellings, incorrect signature blocks and other items out of place or missing can indicate a foreign origin.

Users should double-check Web site addresses. Links should start with "https://" rather than "http://. " This denotes a secure connection. Also, the suffix ".mil" should be present in the domain name of official military Web sites. Unfortunately, even if a Web address has these elements, it can have an embedded link that takes you somewhere other than what it says. To combat this, Sergeant Parker suggests opening an empty browser and navigating to the Web page manually. While this may take longer, it will help prevent the user from falling victim to malicious logic.

If you must open an attachment, do not enable macros. Government systems are designed to give warnings when a document or other seemingly normal file attempts to do something other than what it was designed to do. Users should make sure e-mails with attachments are digitally signed and should request the e-mail to be resent with a signature if there isn't one, said 1st Lt. Robby Williams, the 35th Communications Squadron plans and resources flight commander.

"Blindly clicking 'yes' to alerts is the type of complacency that phishers are looking for," said Senior Airman Benjamin Nelson, a 35th Mission Support Group knowledge operator.

Also, disabling the e-mail preview pane, or at the very least disabling HTML on the preview pane, will give a degree of separation, allowing users to verify a sender before opening an e-mail with attachments.

"If you do get an e-mail that you deem to be suspicious, call the sender to verify that the e-mail did, in fact, come from them," said Sergeant Parker. "If not, or if the e-mail came from an organization outside the military, contact your information assurance officer so they can investigate the e-mail. If you have already opened the suspicious e-mail, Web link, or attachment, immediately unplug your computer from the network and contact your IAO. "

E-mail is not the only medium being targeted, however. The increasing popularity of social media sites such as Facebook or Myspace have drawn phishers into these new frontiers.

"Status updates posted on Facebook, Myspace and Twitter propagate headlines such as 'Donate to Haiti Efforts' or 'Facebook charging for membership' usually include a link to a website with additional information," said Sergeant Rowland. "The simple act of browsing a maliciously-crafted website is all it takes to infect your computer with information-stealing malware. Personally identifiable information is the hottest commodity in cyber crime rings--so be careful when giving details about yourself online. "