Attack vectors into the law: phishing
The first of a mini-series on cyber-crime risks to solicitors explains the methods of, and the ways to spot, “phishing” emails
ComputerWeekly recently reported that cyber crime costs UK organisations an average of around £3 million per annum. For the legal profession, however, the potential risks are generally greater. As the recent example of Davenport Lyons shows, cyber crime is a commercial risk for lawyers as for other businesses. However, it is a risk particularly amplified in law because of the additional duties owed to clients. More frequent than cyber attacks on lawyers are cyber attacks via lawyers against corporate targets – their clients.
A recent American report referred to law, in this respect, as the “soft underbelly of the corporate world”. No legal professional wants to be the path of least technological resistance to his or her clients’ most sensitive information. Yet the lawyer inhabits a technological landscape in which a single check of email on free wifi may be exactly that. Collectively, the paths or means by which hackers may render a network insecure are called “attack vectors”.
In this mini-series, some of the common “attack vectors” are introduced, with a particular focus on how they relate to practice of law, and what can be done to protect yourself and your clients.
What is phishing?
The first “attack vector” in the series is phishing. Phishing is the act of attempting to acquire sensitive information from a target by masquerading as a trustworthy entity, most commonly by email. Analysis of 2013 trends confirms that it continues to be the top online threat, with the greatest impact on consumers and business.
Phishing attacks mainly exploit the way people, in practice, interact with and interpret their electronic messages like email. Which is to say, it exploits people’s email behaviour rather a technical vulnerability.
The hacker can craft the email in any form it is hoped their target will find trustworthy, and respond predictably to. In so doing, the aim is to render the target’s computer, network or information insecure. Phishing attacks range from what people often label “spam”, to the highly sophisticated.
The modern legal professional is a high value target – or, at least, a potentially insecure path to a high value target he or she represents. As such, the modern lawyer need to be prepared for not only the more common, but the more sophisticated, phishing attacks.
The only real way to do be able to identify phishing attacks across the spectrum is to have an understanding of them. A modest investment in this is likely to yield higher returns than considerable investment in anti-phishing technology, particularly with regard to the sophisticated attempts.
Anatomy of a phishing attack
Phishing attacks are the object of much information security research and analysis. They can be conceptualised in different ways. Happily, to gain the grasp required for practical defence you can think of phishing as constituting essentially three things:
(a) the appearance of being from a trustworthy source, and
(b) the hook – i.e. the specific action the hacker needs the target to perform to make him vulnerable, and
(c) the bait – i.e. the hacker’s strategy for baiting the target into performing that action.
As we will see, from this basic structure, a great variety emerges.
The general phishing attack
The general phishing attack is by far the most common type. What defines this attack is that it’s not personal. Which is to say, it’s not about you, it’s just about numbers.
The hacker hopes that for every 10,000 emails he sends, a few people won’t realise it’s not from the trustworthy source it purports to be from, and be baited into doing what the hacker wants.
Just how indiscriminate the general attack is can vary, while still following this basic pattern.
Take these two scenarios:
Target: Everybody in list of 500,000 random email addresses
Faked trustworthy source: Royal Bank of Scotland
The hook: Click a link that takes target to a fake RBOS website, to steal target's login details
The bait: “There has been unusual activity on your account, please login to verify recent transactions”
Target: Everybody in list of 20,000 architects' email addresses
Faked trustworthy source: Royal Society of Architects
The hook: Open an attachment containing malware that allows hacker access to target’s PC
The bait: “I regret to inform you that a complaint has been made against you. At this stage only the details of the complaint and registered architect number of the complainer are available. Please see attachment and respond with 48 hours.”
A real life example – PayPal phishing
We can see from this real example, that it has a fairly typical profile for a general phishing attack:
“Thu 26/09/2013 15:43
[SPAM?] New PayPal Messages – response is required
To: Barry McKay
For your protection, you must verify your activity before you can continue using your PayPal account.
We will review the activity on your account with you and upon verification, and we will remove any restrictions placed on your account.
Click to follow link
If you choose to ignore our request, you leave us no choice but to temporary suspend your account.”
The faked trustworthy source is the international e-commerce website PayPal. Using official PayPal branding attempts to lend it credibility. The hacker's choice of source reflects the need to present as something lots of people are likely to know and use, as they do not know their target.
But note: It’s from firstname.lastname@example.org; my name isn’t mentioned in the email; and the email did not look like one styled by an international corporation.
The hook is simply the “click here” link. This will take the target to a fake PayPal website, which replicates the original in all its details. It hopes the target will log in to the hacker-controlled site, revealing their login details.
But note: If you put your mouse over the link without clicking, you see it doesn’t in fact go to paypal.co.uk, but rather http://bze.ca
The bait provokes curiosity by advising the target that they have new messages, while also inspiring fear that their account may be suspended. These are two most common strategies.
But note: Persuasion overkill – there is no coherent message asking me to do something clear, as you would expect from a leading company, just naked curiosity/fear bait.
If you have a clear impression that an email is intent on you doing one specific thing, that’s a good reason to be suspicious.
Targeted (or spear) phishing
Spear phishing is a term for individually or corporately targeted phishing attacks. “Spear phishing for whales” is targeting specific, high ranking individuals, within, or with access to, the target organisation.
Such attacks are generally more sophisticated, and take into account the target’s specific background and characteristics from publicly available information.
These are the vehicle of choice for attacks on high level targets. In an analysis of 19 of the most successful high profile attacks in the oil and gas industry, almost every attack used a form of spear phishing.
As spear phishing for whales is something that adapts to particular circumstances, the following background scenario has been created for illustrative purposes:
You are Mr Tom Latter. You work for a firm representing an oil exploratory company in the North Sea. As is not uncommon in the industry, cyber-criminals have been tasked with securing market sensitive information on that oil company to aid their clients in a bid for it.
The hacker's brief is to get such information without making the oil company aware. After mapping their service interaction, they identify your firm as a potential organisation attack vector to them, and examine your public information.
They notice that your company has a Twitter follower called Widget Technologies Ltd (http://www.widgettechnologies.co.uk), who retweeted a link to a Law Society talk you gave. That company is not your client, though.
Ultimately, they identify you personally, and three other solicitors, as having recorded dealings with the oil company.
The spear phishing mail may read like this:
Friday 28/03/2014 01:14
David Smith <email@example.com>
To: Tom Latter
[pdf attachment shown]
I hope you don't mind my emailing you. I was at the Law Society event back in January, and caught the tail end of your talk on business and legal interfacing. I thoroughly enjoyed it, and actually meant to follow up.
That's not the issue I'm contacting you about at the moment, though.I'm a Director over at Widget Technologies. We've been following you guys for a bit, and very much like your modern outlook. It's impressive.
We actually have in house representation at the moment, but the reason I'm writing is that, after a somewhat unhappy incident, we may nonetheless be looking for representation.
It's really just at the enquiry stage at our end. It's not clear from your website whether you guys do contractual stuff. Our in house solicitor sent some emails we think are abusive and may constitute material breach of his contract. Naturally, we can't ask his opinion.
I've compiled a quick report containing his emails, our replies, and a contract extract. I realise entirely that you can't offer any advice prior to our coming in and doing the necessary checks.
However, if you could have a quick look over the report just to see if it's something in your area of expertise, and let me know, I'd appreciate it. What times would you have available for me to come in next week?
PS I've copied in the chairman. If you'd like to talk to either of us over the phone, you'll find contact details via the URL in the signature.
Director – Operations
Widget Technologies Ltd
The faked trustworthy source in this instance is more subtle. General phishing attacks will try to ape a globally trusted source to gain standing. Spear phishing will be more creative. The hacker in this instance is adopting a trusted genre – the friendly but formal business inquiry, as well as relying on a vague and disarming familiarity with the company.
The hook is also less clear. It gives a plausible appearance of options. In truth, the hacker is using a very standard hook – an insidious email attachment. But even if Tom opened it, he wouldn’t suspect he’d just opened a backdoor to his computer and its information, as the presentation as described would be there. The link goes to a website duplicate with changed phone numbers.
The bait in this instance relies primarily on self-interest – there is the prospect of a new client. But it also insinuates a little bit of intrigue – most people would be tempted to see those abusive emails.
What were the warning signs?
Unlike the PayPal example, there was only one tangible warning sign here.
Did you notice the missing “t” from the domain in the email address?
In Tom’s position, would you have read the report?
If not, do you think one of the other solicitors in your firm would, if a scenario had been developed specifically for them?
The hacker incurs no costs in this, other than time. Even if you work out something isn’t right, you would never have known your client was under attack.
The lesson is to read your email in the knowledge that phishing can be highly subtle. Think about the putative trustworthiness of the source. Utilise your lawyerly sensitivity to persuasion and decide whether you are being baited into some predefined response.
However, even if you don’t spot that an email is phishing, if you follow these simple rules, you will still protect yourself against the majority of phishing attacks – general and targeted.
Points to remember
1. Remember, you can never tell an email’s true source from its branding or sender name
2. Even if you closely check the sender address, you can still misidentify true sources (firstname.lastname@example.org isn’t the Law Society; email@example.com was not firstname.lastname@example.org)
3. Never follow a link from an email for any reason. Just open your browser.
4. Don’t open an attachment if you are at all unsure of the sender, and always virus scan before opening attachments even from people you do know.
5. Don’t trust email signatures as sources of information, particularly relating to telephone numbers and websites.
6. Ensure you have a clear policy that incorporates the security of attached documents as a part of your set of policies dealing with enquiries and new clients.
7. Beware being baited – sources you can trust won’t try to scare you into action; and curiosity, in this context, kills the client.
Barry McKay, Dip Comp, BA (Hons), LLB