Part 1: The Sony Pictures Hack
The recent hack of Anthem, the second largest health insurance provider in the U.S., has once again made the topic of cybersecurity painfully relevant to those who work in the healthcare industry. Initial estimates revealed that as many as 80 million Anthem customers had large portions of their records comprised (possibly more). While Anthem insists that no medical or credit card data was stolen, these records still contained a wealth of personal information (all worth a fortune on any of the darknet black market data exchanges)—customer names, dates of birth, social security numbers, addresses, places of employment, and even income data was stolen in the cyberattack. Not only were customer records compromised, but those of Anthem employees as well. Even their CEO, Joseph Swedish, had his personal information stolen during the breach. Anthem has not yet officially disclosed exactly how the hack occurred, except to say that it was a “very sophisticated cyberattack.”
While data breaches carried out by external infiltrators and hackers are widely reported, the scary truth is that most data breaches occur due to internal causes—employee negligence, disgruntled former employees, malicious insiders, or just plain-old careless internal cybersecurity behaviors. That last one—careless cybersecurity behaviors—has led to some of the most serious cyberattacks and/or data breaches in recent history. Careless human behavior is, unfortunately, a security threat that even the most state-of-the-art and up-to-date antivirus software can do almost nothing to prevent.
In this article, we will examine four notorious hacks—at Sony Pictures, the NSA, the 2013 G20 Summit, and the Department of Defense—in order to show how in each case it was a simple mistake, made by one or more individuals within the network, that allowed hackers to gain access to what were likely assumed to be rather well-protected networks.
But, as the old saying goes: You know what happens when you assume…
The Spear-Phishing of Sony Pictures
The hack of Sony Pictures in 2014 is probably the most widely discussed cyberattack in recent memory. We all know the story. Sony Pictures was about to release a silly, raunchy, Seth Rogen & James Franco comedy, The Interview, about a hypothetical attempt to assassinate Kim Jong Un by a pair of inept tabloid journalists. Unfortunately for Sony, this movie’s mere existence was enough to anger the real Kim Jong Un. In an attempt to prevent the film from ever seeing the light of day, the dictator of North Korea ordered his army of an estimated 6,000 hackers (I wish I could tell you that's an exaggerated number) to carry out one of the most ruthless, hardcore cyberattacks ever witnessed. They attempted to mask themselves by pretending to be an independent hacker group, using the name “Guardians of Peace,” or #GOP.
So, how were the hackers able to penetrate the Sony Pictures network?
Did they use some kind of high-tech hacking satellite? No.
Did they spend months mapping Sony’s security protocols so they could drill their way through the firewall? Nope.
Did they send one of their spies to infiltrate the network from the inside? Wrong again.
They just sent an email… that’s about it.
A large number of emails were sent to Sony pictures employees, including their CEO, which seemed to come from legit email addresses. The email requested that the recipients view a webpage by clicking on a link. All it took was for one person to open the link… and someone did. This opened a backdoor for the hackers, which they used to steal the legitimate online credentials of various executives within the company. They then used these credentials to steal information, copy private emails, delete data, upload viruses, paralyze the network, post threats and ransom demands, and just generally wreak all kinds of havoc. Sony Pictures still hasn’t fully recovered from the damage their computer network sustained in the attack, and their financial losses as a result of this incident have been estimated at $100 million.
The Reality of Spear-Phishing
The kinds of emails employed in the Sony hack were part of a hacking strategy commonly known as “spear-phishing,” and it happens far more often than most people realize. Compared to the “spam-phishing” emails of days past, which most people have learned to identify and avoid over the years, spear-phishing emails are astronomically more effective. Whereas the current open rate for spam emails is a meager 3%, the open rate for spear-phishing emails is a staggering 70% (not to mention 50% of those who open these emails also click the links they contain). A study published by Cisco found 1,000 spear-phishing emails generate ten times more data revenue for hackers than sending 1,000,000 spam-phishing emails.
You may be wondering: “What makes spear-phishing so effective?”
There are a number of factors that attribute to the high success rate of spear-phishing campaigns:
- It’s NOT Spam: By now most people know how to identify and avoid the traditional characteristics of spam. Spear-phishing emails don’t have those characteristics. They don’t claim to be from a Nigerian prince who for some reason can’t spell Nigeria and inexplicably wants you, a total stranger, to inherit his vast wealth… if only you can send him the money to pay the taxes on it. They won’t inform you that you’re the winner of an all-expenses paid trip to the Bahamas and a cash prize, in a contest you never even entered… they just need to know the routing number to your bank account so they can wire the money to you. In fact, spear-phishing emails have become increasingly sophisticated and difficult to identify over the years.
- Familiarity: Unlike spam, which is sent out “shotgun-approach-style” to thousands of email addresses, spear-phishing is a bit more planned and designed to target specific recipients. This is done by employing spoof email addresses that look real and appear to be from someone the recipient knows (such as a boss or coworker). It can be as simple as a Google search to find out who works for a company and acquire a list of employee email addresses. The senders may even use a logo image to make the email seem more legit (again, a corporate logo can be easily found with Google Images). This increases the likelihood that the email will be opened by the recipient.
- Spoofed Links/Attachments: The links in spear-phishing emails look like the real deal. This is why half the people who open them also open the links. Spoofing a link is pretty easy to do. Most ten-year-olds probably know how to edit a hyperlink, nowadays (kind of like this: ThisIsNotaLinkToaWikipediaHyperlinkArticle.com). The senders know that few people bother to verify the actual URL properties of a link before clicking, especially in an email they believe was sent by someone they know. Think about it… when was the last time you verified the URL of a link before you clicked on it?
- Versatile Use of Malware/Spyware/Viruses: Spear-phishing links contain malware, spyware, or viruses that are downloaded as soon as a recipient opens the spoofed link. Depending on the type, this can do any number of nasty things to a computer network. It could be malware that opens a backdoor for hackers to gain access or spyware, such as a worm, that just quietly scans and transmits data (usually to identity thieves or darknet data traders). Then again, it could infect the network with a malicious virus that proceeds to go Hulk until it is detected and quarantined. Or, worst case scenario, until it causes a system-wide crash that results in a total loss of hardware and data.
- Spoofed/Stolen Security Certificates: In order to mask their activities, the senders often employ spoofed or stolen security certificates for their malware/spyware. This reduces the likelihood that the data breach will be immediately detected by security software or IT personnel. Remember that new versions of malicious code are being written all the time, and even the best antivirus can only detect what it knows to look for, even more so when the code is masked by a fake security certificate. This is why it can takes weeks, months, or (in some cases) even years for such breaches to be discovered.
Are you sufficiently freaked out and/or terrified yet? Good… mission accomplished, then.
Don’t worry, though. While spear-phishing emails may be harder to identify than spam, they certainly aren’t 100% foolproof. Every strategy has a weakness, and even spear-phishing is not immune to this rule.
Red Flags to Help You Identify a Potential Spear-Phishing Email
- Email is unexpected: Is it odd or unexpected that this person is emailing you? For example, you receive what appears to be an email from your office manager that says “Here are those forms you asked for,” with an attachment or link. However, you can’t seem to remember asking for any forms. This can be easily dealt with by picking up the phone and calling the office manager to confirm that he/she sent the email.
- Subject line may not make sense: Does the subject match what’s in the email? For example, does the subject say “Weekly Report,” but the email says “here are those forms you asked for.” Senders are getting pretty savvy, so this mistake is becoming rarer. But it’s still worth mentioning.
- Excessive spelling/grammar errors: Okay… I get it. Some people aren’t the greatest spellers to begin with. So this one requires you to use your noggin. For example, if your 65-year-old receptionist sends you an email that says “Wazzup? Got da forms 4 u. Kthnxby,” you might want to double-check to make sure she sent the email before you open any links or attachments. However, if it comes from your 13-year-old niece, it may not be all that unusual.
- Email is vague: Be especially wary of any email that contains little to no detail. Vague wording followed by a link, such as “Here you go: <link>” or “Need you to look at this: <link>,” are huge red flags. Most people are more specific than that, even with emails, and a real person would write “Here is that cancelled appointment list you asked for,” or “Here is tomorrow’s schedule. Could you please look at it and let me know of any problems?”
- Has an unnecessarily urgent tone: This one usually goes hand in hand with the above vagueness issue. For example, the subject line is “URGENT!!!” and the email just says “I NEED YOU TO LOOK AT THIS RIGHT AWAY: <link>.” This is meant to invoke feelings of panic, so that a recipient might click the link without thinking about it. Note that the subject does not tell you why it is urgent, nor does the email tell you what you are supposed to look at.
- Return address differs from original: Spoofing an email address is not difficult. One easy way to catch this one is to hit Reply (for goodness sakes, though, do not hit Send). If the return address does not match the sender address in the original email, this is a big red flag.
- Contains links or attachments: Obviously, the presence of a link is not by itself a cause for suspicion. However, it becomes one if it is combined with any of the other red flags in this list.
- Link addresses don’t match link text: If you have any doubts, verify the URL of a link before opening it. For Windows users, this can usually be done by simply right-clicking (NOT left-clicking!) on the link and selecting “properties.” If the URL in the properties window does not seem to match what the link claims to be, do not open it.
While the subject of spear-phishing emails seems to cause anxiety in some people, you shouldn’t let it make you unnecessarily paranoid. Just remember that a little vigilance and common sense goes a long way when it comes to avoiding spear-phishing emails. Keep an eye out for red flags. Trust your instincts. If an email seems unusual, even if you can’t quite put your finger on why, there is nothing wrong with calling the sender to verify that he/she sent it to you. Permanently delete any email you cannot verify, and don’t rush to open links or download attachments.
Thanks for reading Part 1 of this blog series. In Part 2 we will examine the infamous 2012 NSA data breach executed by Edward Snowden, and what it can teach us about password security.