Phishing emerges as major corporate security threat

Break-ins at Oak Ridge, RSA, others show that the 'low-tech' phishing attacks can have bad consequences

The successful use of phishing emails to breach secure organizations like Oak Ridge National Laboratory and RSA are stark reminders of the serious threat posed by what some experts have dismissed as as a low-tech method of attack.

Oak Ridge, a U.S. Department of Energy-run research lab, this week disclosed it had shut down all Internet access and email services after discovering a sophisticated data stealing malware program on its networks.

According to the lab, the breach originated in a phishing email that was sent to about 570 employees. The emails were disguised to appear as notes about benefits changes written by the lab's HR department. When a handful of employees clicked on the embedded link in the email, a malware program was downloaded onto their computers.

The malware exploited an unpatched flaw in Microsoft's Internet Explorer software, and was designed to search for and steal technical information from Oak Ridge, whose engineers are in the midst of an effort to build the world's fastest supercomputer.

A Oak Ridge official described the attack as being very similar to one that hit security vendor RSA last month.

That incident resulted in the theft of information about RSA's SecurID two-factor authentication technology. And a breach at Epsilon earlier this month, said to be the largest ever involving email addresses, is also suspected to have been caused by a targeted phishing campaign.

That hackers are able to penetrate such presumably well-protected organizations using low-tech, fake email methods points to the growing sophistication of targeted phishing campaigns and the continued tendency by enterprises to think that user education alone will mitigate the problem, analysts said.

"It doesn't surprise me at all," said Anup Ghosh founder of security firm Invincea. "Almost every publicized and self-declared Advanced Persistent Threat (APT) attack this year has been through phishing emails."

Such emails, in fact, now appear to be the preferred method for illegally breaking into corporate networks, he said.

"All you need to do is to get an email to a target. You only need a very low click through rate to establish several points of presence inside an organization," Ghosh said. "If you have 1,000 employees in your organization and you train them all on not opening untrusted attachments, you'll still have someone doing it. This is not a problem you can train yourself out of."

Exacerbating the issue is the growing sophistication of phishing campaigns, analysts note.

Increasingly, organized cybergroups have started using convincingly crafted emails to target high level executives and employees within the organizations they want to attack. In many cases, the phishing emails are personalized, localized and designed to appear like they originated from a source trusted.

Ghosh said he received such an email just last week. The message, which was sent to his personal account and appeared to be sent by a close friend, included a link that purportedly would take him to a set of photographs of the friend's daughter's birthday. The email even contained the first name of the friend's daughter.

There were some red flags in the email, but Ghosh noticed them only after clicking on the link. At first glance, he said, "It was convincing enough for me."

The fact that some form of phishing has been a part of many recent hacks is troubling, said Pete Lindstrom, an analyst with Spire Security. "We all seem to be failing at basic things, which points to the possibility that they aren't really basic," he said.

Companies must routinely log and monitor networks for data leaks enabled by such phishing campaigns, he said.

In phishing attacks, companies should focus more on response and containment rather than just prevention said Rich Mogull, an analyst with Securosis.

In such attacks, companies are often dealing with adversaries with vast resources, patience and money. Often, such adversaries are willing to keep on trying until they break in. "It's nearly impossible to keep someone like that out of your organization," he said.

Therefore, IT security personnel should focus on minimizing damage, Mogull said. For example, companies should consider compartmentalizing networks and building "air gaps" between critical components and data to make it harder for intruders to hop around inside the network, he said.

Also key is the need for companies to extensively monitor inernal networks to ensure that data is not being leaked out, he said.

"Targeted phishing attacks aren't all that low-tech anymore," said John Pescatore, an analyst at Gartner.

Increasingly, information from social networking sites such as LinkedIn and Facebook is used to make the targeted phishing attacks harder to detect, he said. "With all the personal information and friend's lists people expose on those sites, it is not that hard to craft a very personal sounding email," Pescatore added.

In addition, Web security efforts, especially within government agencies and research labs like Oak Ridge, often focus on issues such as URL blocking to prevent access to porn and illegal sites rather than on blocking suspicious incoming mail, he said.

"This leaves them more open to damage if a user does fall for a phishing email, and at some point an employee always will fall for one," he said. "Twenty-five years of trying to rely on awareness and education has proven that over and over again."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan , or subscribe to Jaikumar's RSS feed . His e-mail address is

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags U.S. Department of EnergyMicrosoftsecurityOak Ridge National Laboratory

More about APTEpsilon InteractiveFacebookGartnerMicrosoftOak Ridge National LaboratoryRSASpireSpireTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts