Will phishing kill e-mail as we know it?
Spate of successful attacks shows messages can't be trusted, and a useful business tool could be lost
The recent spate of high-profile breaches of government and contractor systems appears to be the work of sophisticated and persistent attackers who are leveraging relatively simple exploits to gain access to high-value data. In one string of attacks, data stolen from RSA Security apparently has been used to access or attempt to access several companies. In others, account information has been stolen to enable access to communications.
The incidents have in common that they appear to have started with spear-phishing attacks, tricking an end-user into giving up information or allowing the installation of malicious code that could steal data. This information was then used to conduct more sophisticated attacks.
It is simple enough to warn users that they should be careful about what e-mails they open and respond to, and about downloading attachments or clicking on links. But socially engineered e-mails using publicly available information to target users are making it more difficult for recipients to weed out the malicious messages.
How to counter sophisticated cyberattacks: Focus on the basics
Oak Ridge lab shuts down e-mail, Internet after cyberattack
The routine use of e-mail for confirmations and notifications of transactions have made it a trusted business tool, and even otherwise cautious users tend to trust the medium. But until the technology for identifying phony e-mails improves, we should consider messages untrusted by default, regardless of subject matter or whom they appear to come from. This means that some legitimate uses of e-mail in our everyday business will have to change.
For example, I recently received an e-mail in my work account appearing to be from a vice president of IT and application development, informing me that my profile for the company directory needs to be updated. The e-mail provides a link, with instructions to click, enter my user name and password, and put in my contact information.
The e-mail looks legitimate and the link looks good, but I haven’t responded. I have few, if any, secrets in my own files, but the information being sought can provide the kind of wedge that could be used to gain broader access to company resources and used as a stepping stone for attacks elsewhere if it went into the hands of a hacker.
I have seen too many incidents of similar phishing attacks to be comfortable responding to e-mail requests such as this.
This probably is a legitimate e-mail request, and providing a link to enable me to update my own information is a more efficient way to handle the task than to have a third party input the information. But the bottom line is that additional caution is called for in the current environment.
There might be other ways for me to verify the e-mail and the link, but the simplest and most effective for me is to call the guy and ask him. This is an inconvenience for both of us but it is prudent and better than having to admit later that I was phished.
Until we can assume that the e-mail that lands in our inboxes is trusted, it might be simpler to forego using e-mail for such business and use some other channel of communication, such as a phone call, instead.
This would be a shame, because e-mail, with its unlimited length and ability to carry attachments and links, is a great medium for business activities. But with the bad guys capitalizing on that convenience, security will have to take precedence and we might have to abandon the default trust in e-mail, at least for a while. It’s a case of risk management.