US-CERT Hooked by US-CERT Phishing Attack
Written by Malcolm James on January 17, 2012
This week, a phishing attack landed in the inboxes of several US government agencies, spoofing the US government’s cyber security watchdog and response agency. Complete with attachments, the e-mail’s payload was a nasty little virus that has already been tracked back to Mother Russia. To make matters a little embarrassing, perhaps, it’s not enough that the agency which was spoofed in the attack has reported a disruption of its own systems, but it’s also the government body responsible for identifying and mitigating just this type of thing.
On January 11, news erupted of a rather malicious little spoof email that circulated through the mail servers of several national, state and local government agencies and even private sector employees. The scam in question was an email pretending to be the product of US-CERT, the United States Computer Emergency Readiness Team, a division of the Department of Homeland Security.
Sent with fake source addresses that included soc@us-cert.gov and the subject line Phishing incident report call number: PH000000XXXXXXX and an attachment named US-CERT Operation Center Report XXXXXXX.zip, a nasty little file which was anything but a report. In fact, after some quick investigation, the attachment – which executes a file named US-CERT Operation CENTER Reports.eml.exe – was discovered to be a variant of the infamous Zeus virus known as ‘Ice-IX’, a keylogger that steals banking and other personal information. As if that isn’t enough, the worm also bypasses firewalls and other protection schemes.
Oh, the Irony!
US-CERT responding by doing what it’s supposed to do: it posted a bulletin and notified agencies. And while not admitting that anyone at US-CERT actually opened the little bugger, an operator at the agency has stated
“difficulty receiving emails due to the phishing campaign”
according to SC Magazine. A little embarrassing, considering that this is just the type of thing US-CERT has been mandated to protect against, it’s a forgivable fumble considering that the scam artists continue to get wilier and more creative in their attacks.
In an ‘it never hurts to state the obvious’ moment, US-CERT included the following advisories in its security bulletin:
US-CERT encourages users to do the following to reduce the risks associated with this and other phishing campaigns:
- Do not open the attachments in email messages from unknown sources.
- Install anti-virus software and keep virus signatures files up-to-date.
- Refer to Recognizing and Avoiding Email Scams (pdf) documents for more information on avoiding email scams.
- Refer to the Avoiding Social Engineering and Phishing Attacks document for information on social engineering attacks.
- Refer to Recovering from Viruses, Worms, and Trojan Horses document for additional information on how to recover from malware.
From Russia with Malice
The story gets a little more interesting from here, when Nextgov.com reported on Wednesday that
“Researchers outside of US-CERT traced the malicious software to a botnet – a remotely-controlled network of infected computers – that is taking commands from computers located in Russia.”
It’s not clear why researchers outside of US-CERT traced the location – it would seem natural that US-CERT was capable of doing that sort of thing. Isn’t it logical to assume that’s what the “response” part of their name is for?
Regarding the attack and its location, there’s clearly no love here, only malice. So why was an e-mail from Russia so specifically targeted at and around US-CERT and US government agencies? It’s extremely unlikely that this was state sponsored – the method used and speed at which it was detected suggest something far too ham-handed to be anything that nefarious. So taking that into consideration, the incident still poses something of an oddity. If a group, say organized crime – which is alive and well in Mother Russia – was responsible for the attack, what could they possibly hope to gain by phishing government agencies in the US? And if it was some cyberdude named Boris, who figured he’d take time from his daily routine of scamming innocents to pry into US-CERT’s activities, he certainly isn’t the brightest cyberdude in cyberspace.
It’s very mysterious, this one, and it will be interesting to see what, if anything, comes from the follow-up investigations.
Loading ...
This is really ironic knowing that US-CERT has the authority to fight against phishing, spamming, hacking, and other forms of malicious and harmful attacks.
Just an additional tip though – do not open
unexpected attachments in email messages even if it is from someone you know. In most cases these attachments are in .zip, .ppt (PowerPoint), and exe (executable files, programs, and apps) formats. Before opening these files, ask yourself first – why was this sent to me?
Well, that has to be embarrassing. At the same time concerning, I never like to see government agencies being hit by these things, it makes me feel like we’re closer to the era of cyberwarfare.
It does put an interesting precedent forth though – The only real defense for a well-placed phishing campaign is the utmost in caution and good sense. No other existing security can get you by unscathed.