DHS warns that Irene could prompt phishing scams

Cybercriminals increasingly use disasters to launch attacks on government agencies, private companies

As Hurricane Irene barrels toward the eastern seaboard, the U.S. Department of Homeland Security is warning government agencies and private companies to be on the lookout for storm-related phishing attacks and other malicious cyberactivity.

In an alert issued Thursday, the agency said that cybercriminals go into overdrive during highly publicized physical events such as hurricanes and earthquakes.

"Both government agencies and private organizations could possibly become recipients of malicious activity, most commonly in the form of socially engineered spear-phishing emails," the alert from the DHS National Cybersecurity and Communications Integration Center said.

"These emails may appear to originate from a reputable source, with the email subject closely aligned to the event and usually of interest to the recipient," it said. "Network administrators and general users should be aware of these attempts and avoid opening messages with attachments and/or subject lines related to physical events."

Clicking on such emails could cause malware, such as keyloggers and remote access tools, to be downloaded on the user's computer, it said.

The alert is a sign of the growing attention that the DHS and other security agencies and organizations have begun paying to phishing attacks.

The DHS is responsible for protecting critical infrastructure targets in the U.S. Until relatively recently, phishing was considered mostly a consumer problem. But the use of phishing emails to successfully breach the Oak Ridge National Laboratory, EMC's RSA security division, Epsilon and the Pacific Northwest National Laboratory have quickly changed that view.

Over the past few years, phishers have increasingly taken advantage of natural disasters and other highly publicized incidents to slip infected emails and other malware onto users' desktops.

The speed and sophistication of such attacks after the devastating earthquake and tsunami in Japan earlier this year is but one example.

Barely hours after the Japan tragedies, phishers and other online scammers began using emails, fake websites and malicious downloads to try to steal money from unsuspecting victims or plant malware on user systems.

Security companies such as Symantec said they observed millions of email messages and dozens of phony websites going up in the immediate aftermath of the Japan disaster. In most cases, recipients of the email messages were encouraged to click on attachments purporting to show images and videos of the disasters or pointing users to sites where they could ostensibly make donations to victims.

Similar scams were observed in the aftermath of earthquake in Haiti.

The danger for enterprises is that infected computers could be used as entry points into corporate networks, said Anup Ghosh, founder of security firm Invincea.

In many cases, enterprise users are hit with highly targeted spear phishing email messages that appear to come from people they know.

"Spear phishing is the No. 1 attack vector for enterprises. It is how you get into the network," Ghosh said. The tactic has become one of the most commonly used methods used by cyberattackers to break through corporate security defenses, he said.

"I know of [chief information security officers] who have run their own spear phishing tests and gotten click-through rates of 60%," he said. "There's simply no training your way out of the problem."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is jvijayan@computerworld.com.

First look: Office 2019’s likeliest new features
  
Shop Tech Products at Amazon