As phishing and spear phishing grow in popularity with online attackers, government organizations are finding that the right set of policies and training might be the best shield against them.
Phishing e-mail messages try to trick readers into revealing personal information and passwords or clicking on links that can infect their computers with malicious programs. Spear phishing ups the ante by tailoring the e-mail message with information that seems specific to the recipient, such as making it appear to be about an internal agency conference or sent from a co-worker.
The ability to mirror valid information makes spear-phishing e-mails difficult to identify, said Linda Wilbanks, chief information officer at the National Nuclear Security Administration.
A report released in February by the Computer Emergency Readiness Team — an arm of the Homeland Security Department — said that in one effort, phishers sent bogus e-mails claiming to be from the Justice Department. Also, the Internal Revenue Service warned of increased spear-phishing efforts heading into tax season.
Phishers are targeting the government aggressively. For example, in October and November 2007, attackers sent thousands of phishing e-mails to the Energy Department’s network of national laboratories. The attackers blasted e-mails to as many individuals in the lab system as they could to trick at least a few.
The messages referred to an internal agency event and appeared to be valid, Wilbanks said. But a link in the message pointed to a Trojan horse, a malicious program that would immediately start sending data to the attackers if clicked.
Most labs shrugged off the attacks, but two lost some data. Attackers breached a database containing personally identifiable information on visitors to Oak Ridge National Laboratory, in Tennessee. Los Alamos National Laboratory, in New Mexico, suffered intrusions into an unclassified network, but officials declined to elaborate on the amount or kind of information exposed.
Digg
De.licio.us
Slashdot
Technorati
