Cybersecurity officials are struggling to get government employees and business leaders to stop opening malicious emails, industry experts said on Thursday.
“People are hacking themselves. There is no exploitation of code,” said Kevin Mandia, president of cybersecurity firm FireEye. “There are 226 investigations that we’ve started or finished … since 2014. Over 90 percent of the time, the way the bad guys broke in was some sort of spearphishing.”
Mandia and officials from the departments of Commerce and Homeland Security made their comments at a cybersecurity conference held in Washington on Thursday.
Spearphishing is the technique by which hackers send an email to a victim, who opens the email and will either click on a link or be tricked into entering a password for one of his online accounts, transmitting it to the hacker.
Scammers have used such methods while claiming to be wealthy citizens of foreign countries. Their emails, which were usually filled with errors, would request that victims provide their financial information so money could be given to them.
Those days are over, Mandia asserted, now that foreign governments have taken up the practice and found hackers with better English skills.
“Gone are the days when dollar signs are in the wrong place and every word is misspelled,” Mandia said. “Right now, virtually 90 percent of the breaches that we’re responding to — and we responded to several dozen as I stand here today — are state-enabled or sovereign nations hacking us.
“They have the language capability, and they’re exploiting human trust. There isn’t a patch here,” Mandia added. “They’re breaching human trust.”
To diminish the threat that the practice poses, some organizations have started phishing their own employees.
“I am sending their phishing emails,” said Paul Beckman, a cybersecurity official at the Department of Homeland Security. “I don’t want to raise awareness; I want to raise paranoia.”
In the early days of the effort, Beckman said, “I would have the same person fail every single time. Click on the link, enter their credentials, put their password up.” Now, he said, most Homeland Security employees will stop opening his emails after the second round, partly because of repercussions that include mandatory training and marks on the record of people who fail.
Rod Turk, the head of cybersecurity at the Department of Commerce, described the types of emails that foreign states will send to staffers they want to hack. “It’s going to look like it came from your grandma. It’s going to look like the guy next door sending you an email to go to lunch,” Turk said. “And it’s going to have an executable on it,” or some sort of link or action that the recipient is expected to employ.
Mandia described additional phishing campaigns. “It is people saying ‘Hey, why don’t you connect to this third-party reputable site and download photos from last week’s corporate picnic,'” he said. “There really are photos of last year’s corporate picnic on the site. It’s a reputable third-party site. And people are going to click on that link and go get those photos,” thereby transmitting their information to the hackers.
“We’ve all gotten those emails … that say, ‘Hey, come out and have drinks.’ I had a CFO that fell for that three times,” Mandia added.
Additionally, experts said, those who were affected by the breach of the Office of Personnel Management this year were the most at risk. The hack, traced to China, resulted in the exfiltration of 126-page personnel files on 21.5 million people who have applied for security clearances.
“They know who your neighbors are, they know who your brother and sister are, what their birthdates are … if you have a clearance and that information was taken,” Turk said. “That kind of information is out there, and that’s a gold mine for phishing.”
