Topics in this section

Include Level Default Navigation

Copy A Local Navigation Template

IHETS security group

Network security advisory: November 2004

Contact: Tony McClelland, state networks senior engineer, tmcclell@ihets.org

Introduction

In this age of computer communications for e-mail, financial transactions, instant messaging, and Web surfing, the nefarious aspects of society have a new venue to propagate their cons on unsuspecting people. With this in mind, I have decided to pass on some information about the various schemes that are being widely perpetrated throughout the online community on a monthly basis. This will build a stronger knowledge base for our users, and it will help defeat these attacks that cost companies billions of dollars a year (Citibank for example, has lost 93 million dollars so far to the attack discussed below, and that is just one company). Yes, that cost will eventually be passed on to the consumer. I will briefly discuss social engineering to help define the type of attack being used. I will also explain what "phishing" is and the ways to avoid becoming a victim.

What is a social engineering attack?

Social engineering is a proven way to attack a company or individual. It uses our own human behaviors to fool us. Everyone always tries to see the good in people, and we try to help one another out. Social engineers rely on this. To launch a social engineering attack, an attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems. An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support the false identity. By asking seemingly harmless questions, the attacker may be able to piece together enough information to infiltrate an organization's network. If an attacker is not able to gather enough information from one source, he or she may contact another source within the same organization and rely on the information from the first source to add to his or her credibility.

What is a phishing attack?

Phishing is a specific form of social engineering. Phishing attacks use e-mail or malicious Web sites to solicit personal information. Attackers send e-mails from seemingly reputable financial institutions requesting account information or suggesting the existance of a problem in an account. If users respond with requested information, attackers can use it to gain access to the accounts.

How do you avoid becoming a victim?

Always be suspicious of any unsolicited communications (e-mails, phone calls, visits, etc.) from individuals asking about internal, account or personal information. If an unknown party claims to be from a legitimate organization, verify their identity directly with the company.
Never provide personal, organizational, or network infrastructure information to anyone unless you are certain of a person's authority to have the information.
Never reveal personal or finanacial information in an e-mail, and never respond to e-mail solicitations for this information. This includes following links sent in an e-amil.
Do not send sensitive information over the Internet before checking a Web site's security. Pay attention to a Web site's URL. Malicious Web sites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., www4.Citybank.com—I have actually seen this one. Notice the www4 and the misspelling of Citibank).
If you are unsure about the authenticity of a Web site or an e-mail, call the company in question and ask them about the site or e-mail. (They will be very interested in stopping the Web site.)
Never use contact information provided on a Web site connected to an e-mail request. Instead, check your previous statements for contact information.
Be aware of known phishing attempts. Information about known attackers is available on-line from groups such as the Anti-Phishing Working Group (http://www.antiphishing.org/phishing_archive.html).
Copy questionable URLs, go to www.arin.net, and paste them into the Arin search engine. It will reply with URL network ownership information. Note that if the IP's belong to the Asia Pacific network, it will almost always be a false Web site.
Install and maintain anti-virus software, firewalls, and e-mail filters to reduce the number of attacks that will reach you.

What should you do if you think you are a victim?

If you think you may have revealed sensitive information about your organization to an unauthorized party, report it to the appropriate people within the organization. Include network administrators, the security team, and direct managers so that they can be on the alert for any suspicious activity.
If you believe your financial accounts may have been compromised, contact your financial institution immediately and close any accounts in question. Watch for any unexpected charges to your account.
Consider reporting the attack to the police, and file a report with the Federal Trade Commission (http://www.ftc.gov/).

Social engineering (specifically phishing attacks) are not restricted to gaining financial information. They can be used to discover many other aspects of a company; be it personnel, network security measures, policy information, etc. With small bits of information from several sources within an organization, an attacker can easily piece together the information they need to propagate their attack. So, if anyone ever asks you for personal or organizational information, try to think about what it is and why they are asking for it. If in doubt, turn it over to your direct manager and the security team for further investigation. If you have any questions regarding any of this information, my cube door is always open and my cell phone is always on.

The IHETS security team oversees and coordinates security efforts for consortium members. This includes information technology, human resources, communications, legal, facilities management and other groups, to identify security initiatives and standards. We also recognize new developments in information security systems technology; anticipate organizational modifications; establish long-term needs for information security systems; and plan strategy for developing systems and acquiring hardware to meet application needs.