Subscribe to our newsletter.
Stay connected
Over the past two years, ransomware has become one of the most sensible threats on the minds of most people who suffer to protect their agencies and organizations. For the most part, ransomware gangs have avoided confronting the government directly, although infrastructure is critical, schools, state and local governments, and even hospitals have become common targets. And many of the most high-profile attacks in recent years, such as the one introduced against Colonial Pipeline, were based on ransomware.
Ransomware will remain a serious risk for many years to come. However, in terms of attacks aimed directly at federal agencies, it may soon be supplanted by a harmful risk: phishing.
At the maximum fundamental level, an attacker of a phishing attack terminates an email purporting to be from a colleague or boss and asks a worker to take action or provide information. If the victim falls into the trap, they may end up sharing their password, which can lead to secondary attacks. Or they may even do something like move cash directly to an attacker, thinking they’re doing their boss or a colleague a favor.
Because the initial stages of a phishing attack don’t affect the victim’s computers or network, attackers seem more willing to target the federal government. defenses that can prevent stronger intrusion.
For example, an incredibly successful phisher, at least initially, controlled to lie to the government by sending it millions of dollars. A guy from California reportedly created the domain dia-mil. com as a base for phishing operations. The domain is incredibly similar to that of dia. mil used through the Defense Intelligence Service (DIA). It was close enough that the attacker might have tricked the government into sending more than $23 million into his private account. The cash was meant to be used to buy kerosene, and victims of the phishing attacker thought that’s what they were doing. But instead of interacting with a valid government partner, they sent the budget to the attacker.
Ronnie Tokazowski, the chief risk adviser at Cofense, a security firm that reads this issue, explained why no one, not even transit agencies, is immune to phishing campaigns these days. attackers and scammers. To make a victim more likely to click on a phishing email, attackers do their best to make phishing emails as valid as possible, through techniques such as lopass identity theft,” Tokazowski said. “In addition, many scams exploit human feelings to make things more pressing or relative. “
The California attacker eventually arrested and convicted of cable fraud and other crimes, yet it’s appealing that they were able to go so far in their plan without having to compromise federal networks. A phishing email crusade is enough. If they had only better concealed their bank account, or if it had been located somewhere outside the reach of law enforcement, they may have simply gone with it.
Sean McNee, chief technology officer at DomainTools, said the DIA incident is a wonderful reminder of why phishing attacks are fitting the screening tool for criminals looking for cash or data. “These types of phishing attacks through a compromised actor show how vital it is for an organization to control communications with its chain of origin as a component of good security practice,” he said. “If you get an unsolicited email from someone who appears to be a component, tap on it through an identified channel that can be verified to identify the legitimacy of an email, avoid clicking on unsolicited links, and don’t provide any monetary data until the communication has been verified.
As McNee noted, while many phishing threats are capable of circumventing classic defenses, agencies have no protection. According to many experts, smart defenses depend on generation and training, as well as having the right checks and balances in place for critical or highly specific functions, such as cash transfer.
Tokazowski agrees, emphasizing that the generation will have to work with other people to thwart phishing. “Email gateways are great for mitigating known threats and campaigns, yet attacks will land on a user’s inbox, leaving a company vulnerable,” Tokazowski said. “Training users on what phishing emails look like and advising them on how to report email is a must, so that the security team can mitigate a potential threat and lessen the overall threat of the campaign. It’s imperative to strengthen a culture around reporting phishing emails, because at the end of the day, it’s one thing that affects each and every organization. In addition, to help reduce threats related to compromised accounts, organizations deserve to ensure that users have enabled authentication.
Unfortunately, many experts say the DIA attack is probably not an outlier. Cofense recently released its annual Cofense 2022 report on the state of phishing, which paints a rather bleak picture. Confront cybersecurity defenses and definitors, most phishing attacks only want to attack networks that use email: a generation that no agency, company, or organization can do without. Generation can eliminate many of those threats, but the likelihood that a phishing email will finish landing in a user’s inbox at some point is quite high. As such, it will take a generation and user education to completely defeat it.
Help us personalize the particular content for you: