Targeted cyber attacks an 'epidemic'
- 2 June 2011
- From the section Technology
The targeted attack used by hackers to compromise e-mail accounts of top US officials is reaching 'epidemic' proportions, say security experts.
The scam, known as spear phishing, was used in a bid to get passwords of Gmail accounts so they could be monitored.
Via a small number of customised messages it tries to trick people into visiting a web page that looks genuine so users type in login names.
Such attacks are often aimed at top officials or chief executives.
Such attacks are not new, say security professionals, but they are becoming more commonplace.
"What is happening more and more is the targeting of a couple of high value individuals with the one goal of acquiring valuable information and valuable data," said Dan Kaminsky, chief scientist at security firm DKH.
"The most interesting information is concentrated in the accounts of a few people," he said. "Attackers using information to impersonate the users is at epidemic proportions and why computer security is in the state it is in."
In March, security firm RSA was hit by a sophisticated spear-phishing attack that succeeded despite only two attacking e-mails being sent. The phishing e-mail had the subject line "2011 Recruitment Plan" and contained a booby-trapped spreadsheet.
Google said it uncovered the deception through a combination of cloud based security measures, abuse detections systems and user reports. It also cited work done by a website called contagio dump.
The founder of the site is technologist and researcher Mila Parkour who said the method used in this attack was "far from being new or sophisticated".
She told the BBC she was first alerted to the problem by one individual back in February. She would not reveal their name or position.
Google said that among those targeted were senior US government officials, military personnel, journalists, Chinese political activists and officials in several Asian countries, predominately South Korea.
"Someone shared the incident with me," she said. "I did a mini research and analysis and posted the findings as I heard it happened to other people in the military and US government. I just wanted them to be aware and be safe."
Ms Parkour said attackers got access to the entire mailboxes of victims.
"I did not read the contents of the mailbox so not sure if anything extra interesting was there," she said. "I hope not."
Cyber attacks originating in China have become common in recent years, said Bruce Schneier, chief security technology officer at telecoms firm BT.
"It's not just the Chinese government," he said. "It's independent actors within China who are working with the tacit approval of the government."
China has said repeatedly it does not condone hacking, which remains a popular hobby in the country, with numerous websites offering cheap courses to learn the basics.
In 2010 Google was the victim what it called a "highly sophisticated and targeted attack on our corporate infrastructure originating from China" that it said resulted in the theft of intellectual property.
Last year, US. investigators said there was evidence suggesting a link between the Lanxiang Vocational School in Jinan and the hacking attacks on Google and over 20 other firms. The school denied the report.
Security experts said spear phishing attacks were easy to perpetrate because of the amount of information people put on the internet about themselves on social networking sites such as Facebook and Twitter.
The mountain of data lets canny hackers piece together enough information to make e-mails they concoct appear convincing and genuine.
In this attack, some Gmail users received a message that looked like it came from a work colleague or was linked to a work project.
On Ms Parkour's site, she shows some of the spoof e-mails indicating how easy it was for people to be hoodwinked.
"It makes sense these bad guys would go that way given the amount of time, effort and investment they have to make in orchestrating an attack," said Dr Hugh Thompson, chief security strategist at People Security who also teaches at Columbia University.
People tend to trust messages that look like they come from people bearing details of where they last met or what they did, he said.
"I can then point you to a site that looks very much like Gmail and you are not going to question that because I already have your trust," he said.
Steve Durbin, head of the Information Security Forum, said phishing attacks were a well-established attack method and e-mail had long been a favourite among criminals keen to winkle out saleable data.
"Whether you are a government official with access to sensitive or secret information, or the average e-mail user, everyone must be on their guard and become more security savvy," he said.
Organisations needed to educate users about the real and potential risks they face.
Mr Kaminsky said some of the fault for such security lapses lay at the feet of the outdated technologies we use.
"Passwords don't work as an authentication technology," said Mr Kaminsky.
"They are too flexible, too transferable and too easy to steal," he said. "However, we are stuck with them for now due to technical limitations and because users find them easy to use."