You Are Already Behind Enemy Lines -- Protecting Yourself From Email Attacks

Tech columnist Jeff Bennion speaks with Mounil Patel of Mimecast about how hackers are trying to get our email -- and what we can do about it.

Nigerian prince scams are usually pretty easy to spot – they start with some greeting like “Dearest One,” use poor grammar, and generally don’t make any sense. Take for example, this email I got from then-Director of the FBI Robert Mueller, directing me to send him $98 via Western Union or I will get “maximum arrest,” and warning me to not try any “funny business” because I’m being watched:

Not very many companies, or IT departments of companies, are worried about getting “maximum arrest” because the email is clearly not from Robert Mueller (although possibly from his predecessor), and there is no threat that anyone would rush down to the liquor store to send $98 via Western Union to Nigeria.

The reason those emails begin with a vague greeting is because they are sent out to thousands or tens of thousands of people in a day. They cast a wide net and hope to get one or two people. That’s called phishing.

Spear phishing, on the other hand, is a little more diabolical. It’s a targeted attack against a single person. If you target one person a day on spear phishing and get only one bite a year, you can probably get more valuable information than getting multiple phish bites every day.

Last month at ILTACON, I sat down with Mounil Patel, a VP at Mimecast, to talk about how hackers are trying to get our email and what we can do about it. Here are some examples of how spear phishing attacks take place:

  1. A hacker goes to an Am Law 100 firm’s website and goes to the About Us section to see who the managing partner is. Then he goes to that partner’s LinkedIn or Facebook profile to see where that person went to school and who their friends are. Then, the hacker makes an email account with the friend’s name and begins emailing the managing partner. It doesn’t necessarily have to be a “Hey, check out this obviously-fake link. I thought you’d enjoy this!” email. It might be something like, “Hey, haven’t seen you in a while. Let me know when you are free for lunch.” That can be followed by an email a few days later that says, “Hey, let’s meet here for lunch: http://malwarecafe.com/menu.html.”

Sponsored

  1. A managing partner gets an email from someone that sounds kind of legitimate, but the firm has software that scans incoming email for dangerous links. So, the hacker buys the domain malwarecafe.com and sets it up as a legitimate-looking website and emails the link to that website to the managing partner. It goes through the firm’s malware filter and comes out clean. The hacker waits about an hour because by then, the email will be whitelisted and delivered, and completely changes the site to make it install malware on the vistor’s computer. The partner, who believes that his firm’s malware protection software screens these things, clicks on the link an hour later after he gets out of his meeting and goes to a site that was not screened by the software.

What You Can Do About It

First off, I want to apologize to any of the legitimate European mega corps who desperately need a fourth-year personal injury attorney to handle their company’s contract negotiations, because I will not be responding to your emails. If something looks suspicious, it probably is.

For more advanced protection against non-obvious threats, you’ll need a more advanced solution to find a balance between making yourself available to the public and safeguarding your inbox. For example, there’s a danger in opening documents that have macros in them. Macros are pre-programmed instructions in a document to carry out a couple of simple commands, and they can be embedded into documents. They can also contain dangerous instructions to damage our computers. That’s why the default settings in Word and Outlook are to disable macros in documents received over the internet. But, if you really need the document, and it’s stuck in a spam-filtering process for an hour, or even ten minutes, you might begin to lose patience. One of the products Mimecast has is to create a “safe” version of the attachments that translates the attachment into a PDF while it is being scanned so you can read the attachment while it is being inspected and cleaned.

Email scanning and protection is often one of the forgotten areas of cyber security, but it can be one of the most important because we routinely get attachments and links in our emails, so harmful ones can blend in easily. Take a few extra minutes to see what kind of solutions are available to protect your inboxes. As the hackers get more advanced, we need to keep pace.

Sponsored

On a semi-related note, this Friday I will be speaking at the Above the Law Academy for Private Practice on cybersecurity and e-discovery. Details are here.


Jeff Bennion is Of Counsel at Estey & Bomberger LLP, a plaintiffs’ law firm specializing in mass torts and catastrophic injuries. Although he serves on the Executive Committee for the State Bar of California’s Law Practice Management and Technology section, the thoughts and opinions in this column are his own and are not made on behalf of the State Bar of California. Follow him on Twitter here or on Facebook here, or contact him by email at jeff@trial.technology.

CRM Banner