To hackers, government users are phish in a barrel

Government networks are being targeted increasingly by hacktivists, nation-states and other malefactors, and the most common means of successful attacks, by a wide margin, is phishing.

The United States Computer Emergency Readiness Team, which collects security incident reports from federal, state and local government agencies, processed 107,655 incident reports in 2011, 43,889 of them involving federal agencies.

And more than half of those reports — 55,153, or 51.2 percent — came from phishing, which has become hackers’ favorite way of getting a foot into the door of a network.


Related stories:

5 ways to avoid getting caught in phishing scams


US-CERT’s results were included in a recently released report by the Office of Management and Budget on agency compliance with the Federal Information Security Management Act.

The number of reported incidents in 2011 represented an increase of about 5 percent for federal agencies over 2010, when a total of the 107,655 reports came in, 41,776 of them involving federal agencies.

That’s a significant decrease in the growth rate from the year before, when attacks increased by 39 percent, but it’s still a higher rate than in the private sector, where attacks increased by less than 1 percent between 2010 and 2011, according to US-CERT.

After phishing, malware — in the form of viruses, Trojans, worms and logic bombs — was the next most common source of incidents. Totals from the report:

  • Phishing: 51.2 percent.
  • Virus, Trojan, worm, logic bomb: 7.7 percent.
  • Policy violation: 7.4 percent.
  • Malicious website: 6.3 percent.
  • Equipment theft/loss: 6.2 percent.
  • Suspicious network activity: 3.3 percent.
  • Social engineering: 2.4 percent.
  • Attempted access: 0.8 percent.
  • Others: 5.8 percent.

Non-cyber incidents made up 9 percent, US-CERT said.

Phishing scams attempt to lure people to malicious websites where they can be duped into giving up personal information or where malware that compromises their computers can be downloaded. The hook often comes in an e-mail or a posting on a social media site.

Increasingly, government organizations and contractors have been targeted by phishing scams. The hack last year of RSA Security, in which information on the company’s SecureID tokens was stolen and used in an unsuccessful attack on Lockheed Martin, started with the phishing campaign.

Government e-mail addresses stolen and posted online after a hack of intelligence analysis company Strategic Forecasting later were used in spear-phishing attacks, which target specific users. Spear phishing also was at the root of an attack in April 2011 that shut down Internet access at Oak Ridge National Laboratory for weeks.

Experts say you can avoid phishing attacks by keeping browsers and anti-virus software up to date, using a firewall, and installing anti-phishing toolbars such as those built into newer versions of Internet Explorer 7 and Firefox 2, or third-party tools such as EarthLink’s free ScamBlocker.

And users need to resist the social engineering tricks used in phishing e-mails and postings. Among the advice experts offer: Be wary of authoritative-sounding e-mails from a supposed institutions such as a human resources, law enforcement or tax department. (In January, e-mails supposedly from US-CERT were used to spread the Zeus Trojan.) Before clicking, examine URLs for telltale signs, such as misspellings, that could indicate they're bogus. Type in URLs manually to be sure the address isn’t spoofed.

And if you’re not sure about a link, say, to a story on a specific site, you can go to that site on your own and look for it.

Organizations such as the Anti-Phishing Working Group and Phishing.org offer advice to help you avoid getting hooked.

Reader Comments

Tue, Mar 20, 2012 steve baltimore

I disagree about the way your instruction is written: "And if you’re not sure about a link, say, to a story on a specific site, you can go to that site on your own and look for it." Google the path, or google the site (but be sure NOT to goggle it - that's a dangerous misspelling!). In some cases, going to a site is enough to start the nasty business off, unless you have good protections within your browser turned on.

Tue, Mar 20, 2012 John Spencer Michigan

Our local government website has been under a DDOS attack since last June. The bot network starts downloads of large pdf files numerous times until the network pipe is full. Our firewalls have stopped any intrustions so far, and we have blocked most of the bot network url. We have taken steps to minimize the DDOS by changing how pdf files are delivered to the users.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above