David Salisbury, professor of information systems at the University of Dayton, describes "phishing" and how criminals use the scheme to steal information through the internet.

WikiLeaks dump seen as cautionary tale for others as attacks multiply

Experts say even sophisticated users can fall prey to ‘phishing.’

A WikiLeaks dump of Hillary Clinton campaign manager John Podesta’s emails shows how easy members of the public and even those at the highest levels of government can be ensnared in cybercrime “phishing” schemes that loot bank accounts, steal personal information and access payroll records throughout the country.

Podesta was hacked the same way many Americans fall prey: by clicking on a phony email he thought was legitimate.

“You can put in firewalls. You can put in antivirus. You can put in spam filters — whatever you want — but at the end of the day it’s the nice person who doesn’t quite pay enough attention and clicks a link,” said David Salisbury, professor of information systems at University of Dayton. “Mr. Podesta’s situation is a cautionary tale.”

Phishing attacks reached an all-time high during the second quarter of this year, according to the Anti-Phishing Working Group (APWG), an international coalition of industry, government and law enforcement keeping tabs on cybercrime. The group reported more than 466,000 unique phishing sites on the internet during the second quarter of this year, a 61 percent increase over the previous record high during the last quarter of 2015.

On an average day, a business user will receive 90 emails, 14 of which are spam or “gray mail” not trapped by filters and potentially threatening, according to a 2016 estimate by The Radicati Group, a Palo Alto, Calif. research company.

Podesta, who served as former President Bill Clinton’s chief of staff, joined a high-ranking group political operatives and government officials to have personal email accounts compromised. Other notables include CIA Director John Brennan, Director of National Intelligence James Clapper, former Secretary of State Colin Powell, and 2012 Republican presidential candidate Mitt Romney.

WikiLeaks claims possession of 50,000 Podesta emails that the Federal Bureau of Investigation says were likely handed to the site by way of Russian hackers. More than 35,000 have been published so far, doled out in batches of several thousand a day. The group vows to continue releasing them each day before the election.

While Donald Trump has seized on the emails to mount a political attack on Clinton, Florida Republican Sen. Marco Rubio told ABC News that no political party should cheer the prospect of foreign state-sponsored hackers attempting to obstruct the U.S. election.

“As our intelligence agencies have said, these leaks are an effort by a foreign government to interfere with our electoral process, and I will not indulge it,” Rubio said. “Further, I want to warn my fellow Republicans who may want to capitalize politically on these leaks: Today it is the Democrats. Tomorrow it could be us.”

‘Spear phishing’

Podesta reportedly received an email on March 19 that appeared to be from Google. He clicked on a link generated using Bitly, a URL shortening service, which launched a fake Google page where Podesta entered his login information.

“What you just did is give the bad guys your user ID and password,” said Jack Gerbs, CEO of Quanexus, a technology company in Centerville with an information security group.

Gerbs said the attack that snared Podesta was likely the result of “spear phishing” against the Democratic presidential campaign’s email accounts.

“They were targeting that organization,” he said. “They were creating specifically crafted messages that looked legit to get them to open a file that would create the vulnerability for the bad guys to get into the network.”

Despite recent attention on foreign hackers, a vast majority of the world’s phishing attacks originate within the United States, which hosts the greatest number of phishing websites. As of March, more than 75 percent of phishing sites are hosted on U.S. servers, according to the APWG.

Many Americans have learned to automatically delete bulk spam emails purporting to come from a Nigerian prince wanting to share riches, or from a long-lost relative traveling overseas who lost a passport and needs money wired. But those “phishing” the internet today use increasingly sophisticated nets — especially those attempting to infiltrate large organizations.

Would-be perpetrators interact with users through emails that seem plausible — and in the case of spear fishing, often contain bits of reasonable and true information gleaned through intelligence or cyber surveillance, Salisbury said.

“There’s a reason it’s called phishing,” Salisbury said. “When I fish, I like to use bait the fish will take.”

Clicking on a bogus link can bring a torrent of trouble.

Gerbs said he worked with an area company to determine how it lost $280,000 through a phishing attack and how to prevent another. Hackers wrested control of the company’s human resources machine and installed a malicious keystroke-logging program that gave the attackers access to create a fictitious payroll for recipients not in the company. Funds were directly deposited into these accounts.

“There were a lot of things that went wrong,” Gerbs said. “The money quickly went overseas. They notified the FBI and notified the police and they decided not to write a report because they didn’t want their reputation damaged in the industry.”

The biggest financial consequence for organizations is a loss of business, according to the Ponemon Institute’s 2016 Cost of Date Breach Study. In the U.S., each data breach cost the 64 companies participating in the survey an average $7.01 million in 2015, an increase from $6.53 million in 2014. The cost per lost or stolen record also climbed 2 percent in 2015, to $221.

“Everybody in the company is responsible for information security,” Gerbs said. “If something does not feel right … go ahead and report it and don’t assume it’s something small.”

Catastrophic damage

The damage cyber attacks can afflict on large networks, such as those operating electric grids or military communications, are potentially catastrophic.

“Strategic defense plans, those things are invaluable to a nation that doesn’t like us,” Gerbs said.

Though not released by phishing, the first known cyberweapon called Stuxnet, a joint U.S.-Israeli operation, was used against the Iranian nuclear program beginning in 2009 to disrupt uranium enrichment centrifuges.

Experts advise to be wary of any email at home or at work asking for login credentials or personal information.

Gerbs said a typical phishing trick is “to get your blood pressure up” through a bank account balance or online shopping order discrepancy notice.

“They’re looking for a quick response,” he said.

Common phishing scams will appear to come from popular credit cards or online shopping sites like Amazon or shipping services such as FedEx, UPS or the United States Postal Service. The Internal Revenue Service will never contact a citizen via email, Gerbs said, though IRS emails regularly pop up in private email accounts.

A growing number of links lead to ransomware — a type of malware or malicious software that can lock a screen or encrypt files until a sum of money is paid over to a cyber extortionist. Advanced versions can cripple an entire network.

Experts advise to never follow links on email notices. Instead, log in through a web browser directly on the known URL for an organization’s official site.

Behind almost 90 percent of all data breaches is a motive of financial gain or espionage, according to the 2016 Data Breach Investigations Report by Verizon. Organized crime syndicates account for 89 percent of phishing attacks while 9 percent are unleashed by state-affiliated actors, according to the report analyzing 2015 data.

Salisbury said statistics show phishing emails continue to be routinely opened and acted upon.

A survey of eight million company-sanctioned phishing tests in 2015 showed 30 percent were opened and about 12 percent of employees clicked on a malicious attachment or link, according to the Verizon report.

“Users aren’t necessarily bad or careless but they generally have a lot going on and they sometimes react to a clickable link,” Salisbury said. “No matter what kind of technical controls you put in, if somebody clicks a link, you’re owned.”

What to do

If you suspect you’ve taken the phishing bait, Gerbs advises an immediate change of password at the official site and other sites if using the same login credentials.

“The bad guys are pretty smart. They know we’re lazy and probably use the password on other accounts and the user ID on other accounts such as financial accounts and other shopping sites,” he said. “So you being a person of interest they may also dig into what communities you live in, what banks are around there and they’re going to go fishing to try to get into your financial accounts.”

How to report a scam to the Ohio Attorney General:


Tips for thwarting hackers

  • Make your password hard to guess by using a combination of upper and lower case letters, numbers, and special characters.
  • Change your password often.
  • Do not use the same password with more than one account. If you use the same email and Facebook password, and someone found out your Facebook password, they can log into your email and potentially gain access to every single account that that email address is associated with by using “forgot my password” links.
  • Do not write your password down where someone else can find it. (Don’t put it on a post-it near your computer, for example.)
  • Don’t tell anyone your password.
  • Use trusted security software and set it to update automatically.
  • Don’t ever give any personal information over email or private message. If your bank needs to confirm your account number, call them using the number on the back of your bankcard. Do not reply to email, text, or pop-up messages that ask for your personal or financial information. Businesses that are legitimate will not ask you to send private information over insecure channels.
  • Don’t click on links within emails or in private messages.
  • Login to the company’s website by typing in the URL into the address bar. Don’t sign in through any links from the email or message.
  • Be cautious of opening attachments and downloading files to avoid a virus.

Source: Socialsafety.org adapted from information at onguardonline.gov. For more information: http://onguardonline.gov/phishing

Thank you for reading the Dayton Daily News and for supporting local journalism. Subscribers: log in for access to exclusive deals and newsletters.

Thank you for supporting in-depth local journalism with your subscription to the Dayton Daily News. Get more news when you want it with email newsletters just for subscribers. Sign up here.