#BeCyberSmart: Phight the Phish — The basics of email security
Phishing is a type of social engineering where an attacker sends a fraudulent — or “spoofed” — message designed to trick a human victim into revealing sensitive information to the attacker or to deploy malicious software on the victim’s infrastructure like ransomware. Scammers launch thousands of phishing attacks like these every day — and they’re often successful. The FBI’s Internet Crime Complaint Center reported that people lost $57 million to phishing schemes in one year.
Phishing attacks have become increasingly sophisticated and often transparently mirror the site being targeted, allowing the attacker to observe everything while the victim is navigating the site, and transverse any additional security boundaries with the victim. Phishing is by far the most common attack performed by cyber-criminals, with the FBI’s Internet Crime Complaint Center recording over twice as many incidents of phishing than any other type of computer crime.
So what can you do to protect yourself and your organization from phishing attacks?
In the fourth video of our #BeCyberSmart series, McAfee & Taft cybersecurity and privacy attorney Joshua Snavely talks with special guests George ‘Donnie’ Hasseltine, chief security officer at Xenon Partners and chief executive officer at Packagecloud, and Terence Bennett, director of operations with Xenon Partners and TeamPassword.
About our guests
George ‘Donnie’ Hasseltine is a cybersecurity professional and Marine Corps combat veteran who currently serves as the chief security officer for Xenon Partners, a tech private equity firm that focuses on Business to Business Software as a Service (SaaS) companies. He also serves as chief executive officer at Packagecloud, a one-stop cloud-based service to store and distribute different software packages in a reliable and scalable way.
Donnie is a retired Marine Corps officer who completed combat deployments to Kosovo, Iraq, and Afghanistan. His Marine Corps assignments included infantry, recruiting, and staff positions, including command of 1st Reconnaissance Battalion.
He currently serves as the information technology sector chief for the Bay Area Chapter of Infragard, a public-private partnership with the FBI to protect critical infrastructure. Additionally, he is a board member of the Marine Reconnaissance Foundation that works to support reconnaissance Marines and their families, and an advisor to the Athena Leadership Project that explores how gender-diverse teams shape national security.
He holds a bachelor’s degree in history from the Virginia Military Institute, a diploma in Strategic Intelligence from the Joint Military Intelligence College, a master’s degree in national security and strategic studies from the Naval War College, and an executive master in cybersecurity from Brown University.
Terence Bennett is a cybersecurity expert, operations leader, startup advisor, frequent speaker, and former U.S. Navy intelligence officer. He is presently the director of operations at TeamPassword and TeamsID, two of the industry’s best password managers for small teams needing to actively share and manage passwords in a professional environment. He has previously worked on Google’s Offensive Security RedTeam. In partnership with engineering leadership, I planned and managed our exercise pipeline across the entire Alphabet portfolio. Before that, he worked in Google Cloud as an administrative business partner on the Storage and Databases product management team.
In his more than eight years of U.S. Navy service, Terence was a naval intelligence officer and surface warfare officer, and worked at the Naval Criminal Investigative Service. In a reserve capacity, he worked at the Defense Department’s Innovation Unit Experimental, with its operating base in California’s Silicon Valley to get closer to the new technologies they need for strategic and tactical needs.. He deployed as a gunnery officer aboard the USS Paul Hamilton in support of Operation Iraqi Freedom in 2011. In 2014, he deployed on the USNS Spearhead as the intelligence detachment officer-in-charge. Terence is a graduate of the U.S. Naval Academy and U.S. Naval War College.
Joshua Snavely: Well, welcome to our series on being cyber smart, as we highlight and celebrate the annual Cyber Security Awareness Month in October. And we’re glad to have with us today, two guests, our first is Donnie Hasseltine, who’s a 22-year veteran of the Marine Corps, retired as Lieutenant Colonel. Now serves as the Chief Security Officer at Xenon Partners, and is also now the Chief Executive Officer at Packagedcloud, and Terrence Bennett. Terrance is a retired Surface Warfare and Naval Intelligence Officer. He served also as a member and leader at Google’s Red Team. He’s now the Director of Operations at Xenon and as well as the Director of Operations at TeamPassword. So phishing, right, we hear this word all the time now. So what is that and who’s behind it?
Donnie Hasseltine: So every one of you has received a phishing email before, probably. It might’ve come from a Nigerian prince or someone else or something like that. That’s the common joke out there, right? These emails that say, “Hey, I have a problem. Get in touch with me.” And that’s usually just the really most generic phish. And a lot of times we laugh and joke at these ’cause they’re poorly written or they’re confusing to follow, but that’s intentionally done, right? Because a percentage of people is still responding to that. So we may not respond, we may laugh. like that’s a silly email, but someone actually hit reply. And then they’ve ruined that relationship and built that and actually done something, usually, wire money out.
So a phishing email is simply email that is sent purporting to be someone they’re not or trying to encourage you to do something that is gonna help that malicious person send an email. There’s varieties out there, like spear phishing is when you’re actually targeting a specific group or individual.
Like maybe you find an EA to the company through open source intelligence, OSINT, and you are able to spoof an email to make it look like it’s coming from the executive EA. And you ask the EA to do something like send gift cards or do something else, wire some money or something along those lines. And then the next piece is whale phishing.
Whale phishing is taking up higher, it’s spear phishing, it’s targeting like a congressman, Garcia or Issa, or someone very high up. So phishing is simply a method of attack via email to get someone to compromise an aspect of the business. Spear phishing is targeting a specific individual or group, and whale phishing, is usually targeting the leadership of a specific organization or group..
Joshua: So thanks Donnie, Terence, we also heard this term for a long time. I think it originally came from the legislation, but we often hear, interchangeably, with phishing is this concept of spam, that it was a spam message. And so sometimes you hear people kind of use those words interchangeably. Is that right or how would you distinguish all the things Donnie just described from spam and who’s behind spam?
Terence Bennett: Yeah, spam goes back to the earliest days of the internet and was essentially unregulated sort of poor advertisement, for lack of a better term, right? So think of like the most click-baity ad or thing on the internet. So you’ve got an advertiser who’s buying email addresses from data aggregators or any number of sort of different groups that do this and just sending without any sort of regard for like targeting, sending these emails out to tons and tons of people with the intent of them clicking on it, and either going to a site that’s gonna create money for somebody through sort of click revenue or maybe it’s to an actual product, and this is just their method of trying to get in front of people. When that becomes malicious, it becomes phishing.
So spam is just sort of, I think of it as like, the mailers you get every Monday from Pennysaver, right? Like that’s just sort of physical spam. It’s a lot cheaper and easier to do it digitally. But if in your Monday Pennysaver, there were hidden URLs for you to go to, to get free stuff that actually download malware on your computer or something, that would be sort of for like, for lack of a better term, a physical way to phish someone.
Does that comparison make sense?
Joshua: Yeah, definitely. And what I think you both have highlighted there that I want to dig into is there’s someone on the other side of these, right? And so often they’re using this technique that’s referred to as social engineering. So Donnie, maybe share with us, what does that mean if the people sending these phishing messages or are trying to social engineer us, what are we talking about there?
Donnie: Yeah, so social engineering is a very broad term as well. And it just basically using those relationships and inherent trust we have as human beings with each other against ourselves. So it’s doing things like, you know, I’ll give you one aspect ’cause there’s also something called vishing right?
Vishing is done over voice or smishing via SMS. You get a text message, like click this link to verify your account and click, now you’ve hit malware. You know, vishing can also be like, “Hey, my husband’s away…” And there was a great example you’d find on the internet where the woman is like talking, saying like, “Husband, do I really need to reset this password? I can’t get into the account. It’s really important.” And she has a recording of a baby crying and she like hits the recording. And it just really plays on that call center of like human emotions, like, “I’m gonna absolutely help you. What can I do,” right? So that’s an example, some examples of a social engineering using our humanity against us, right?
But I think that when you talk about a phishing email, usually what you’re doing is you’re taking some basic open source intelligence and building some information about that, right? So just look at McAfee Taft, like who are all the partners of McAfee Taft? Can I do a search on LinkedIn and find their EAs? Okay, now I can say, can I spoof an email? It’s coming from the name of a partner with mcafeetaft.io, maybe a slightly different domain that we wouldn’t catch, and copy the signature block, the everything else like that.
Now, I’m presenting myself, as far as someone else, I’m using kind of the heuristics we use to recognize things that are valid or not valid. And I’m using that against them by trying to make it appear like I’m someone else. So if I just send a blanket email out that says, “I’m the CEO,” probably not gonna listen to it. But if it has the actual CEO’s name and his email address and the same signature block, then that’s gonna pull me in. And it works both ways. If, you know, if you have a relationship with someone who’s in a leadership in your business and they communicate a certain way, then you get an email that is written different. Like let’s say your CEO use emoji and often misspells things. And you get an email which is really well written. You’re like, “That didn’t come from him,” or vice versa, right? To see it both ways.
The key is, for social engineering, like, can you replicate the habits of the person you’re trying to represent in that spear phish to make the person click the link or do the thing you’re asking?
Joshua: So, Terence, one of the things that I hear all the time in the organizations I help and work with is once they’ve gotten one of these phishing emails, they’ll come to me or to someone in IT and say, “I’ve been hacked,” or they start telling people, you know, “I’ve been breached or hacked.” And they’re using all this language that, you know, gets me, you know, the hair on the back of my neck to stand up as a lawyer. From a technical perspective, is that accurate? Just because you click on an email and open it and look at it, have you, you know, is there an incident there or what has to happen for there to be an incident?
Terence: That’s why it’s really important for a company to invest in intrusion detection software, in a virus software. Because cause you really don’t know.
Joshua: Is it safe to say, Terrence, that, no, for most of these type of phishing attacks or incidents that, you know, by not clicking on any links and not clicking on any attachments, you’re probably gonna defend yourself against most of them. So just if you see something that looks suspicious, you know, delete it, forward it, flag it, whatever your company has set up. But where the real incidents begin to happen is once you take that second action beyond looking at the email, is that a fair characterization?
Terence: Absolutely, that’s definitely the case.
Joshua: Donnie, do you want to jump in there?
Donnie: 90% Of the time, if you don’t take any secondary action, you’re probably okay. You haven’t been actually hacked or breached. That’s the open door, whether you walk through it or not determines whether you’re hacked or breached. The other piece I would say is almost everybody is using either Google or Microsoft Office or kind of one of these larger email providers. Google has a very simple one. If you just click the three dots, you can pull down and say, “Report as a phishing email.” And if you do that, what that helps is not only does it, you want to follow your internal company rules, but if you report it back to Google, they will take that and integrate that into their processes. So nobody else gets an email from that IP address and so on and so forth. So the first step is recognize it. The second step is don’t take secondary action, report it, and then not just to your company, but report it to the provider, the service, so their tool sets can get even better.
Captioning/transcript provided by Rev.