By Tim Johnson / McClatchy Washington Bureau
WASHINGTON — Hackers are growing much more adept at getting people to open email infected with worms, as the network operators of Mecklenburg County government in North Carolina are the latest to discover.
Practically any infected email can look like it’s from a trusted friend or co-worker.
New techniques that a researcher unveiled this week show how hackers can strip away any sign that an email is fake, and make it “virtually unstoppable” by normal safeguards such as spam filters on email servers.
Campaigns by criminal hackers are “becoming more and more sophisticated,” said Ken Spinner, vice president of global field engineering at Varonis, a New York City security firm.
“It’s really hard to determine, if you receive an email message, whether it is legitimate or not,” Spinner said. “What’s happening is that the hackers are well funded, and in a lot of cases, budgets (of governments) don’t keep up with the requirements of security and they don’t keep up with the sophistication of exploits.”
A German security researcher, Sabri Haddouche, discovered the latest tactics used by cybercriminals, announcing them on a website Tuesday that shows a collection of vicious bugs used to bypass the hurdles set up on more than 30 widely used email clients, like Apple Mail, Mozilla Thunderbird, Yahoo! Mail and Microsoft Outlook 2016.
Haddouche dubbed the malware technique Mailsploit, and said he’d notified major software vendors at least three months ago to protect against it. About 20 vendors dealt with the problem, but 15 either did not say if they would fix the bug or said they would not, he said.
“Mailsploit is a new way to easily spoof email addresses. It allows the attacker to display an arbitrary sender email address to the email recipient,” wrote Haddouche, who works for a European cybersecurity firm, Wire, with offices in Berlin; Zug, Switzerland; and San Francisco.
In his demonstration, Haddouche showed how he could make an email look like it was from President Donald Trump and originated from the email account potuswhitehouse.gov
By sending what are known as spoofing or spearphishing emails, hackers can either include a malicious link in the mail or attach an infected document, both of which can give intruders access into a network.
Governments are now falling victim to ransomware attacks just as thousands of corporations, small businesses, nonprofits and other entities, like hospitals, have worldwide.
An employee of the Mecklenburg County government Monday received an email routed from another employee’s account and opened it and a malicious attachment, infecting the county’s network. Hackers set a deadline of 1 p.m. Wednesday for officials to pay a ransom of about $23,000 but the deadline passed and it was not known whether a ransom was paid. The computers remained down.
“What makes this more dangerous is that hackers are now evolving different ways of getting inside the government network and employees can be the weakest link,” said Bob Noel, director of strategic relationships and marketing for Plixer, a Kennebunk, Maine, firm.
“In these sophisticated attempts, it is hard, if not impossible, for government employees to recognize a phishing email as the spoofing is so professional,” Noel added.
Ransomware attacks have become a global phenomenon. In at least two major waves of attacks this year, tens of thousands of infected computers in at least 150 countries displayed a message saying the hard drives had been frozen and would only be decrypted if a bitcoin ransom was paid.
Major corporations suffering large losses in the May and June attacks included the U.S. pharmaceutical giant Merck, the FedEx logistics and package delivery firm, and Danish shipping line Maersk.
Global ransomware damage is likely to rise from $5 billion this year to $11.5 billion in 2019, the Menlo Park, California, firm Cybersecurity Ventures said in a report last month.
Spoofing emails take many forms, including what appear to be requests from within a corporation to transfer money to an outside account to pay bills.
While some hackers use stolen personal identifying information to try to hack anyone, then penetrate into their workplace networks, few have targeted governments.
“A ransomware attacks relies on the victim being able to make a quick payment. Most government agencies would not have the capability of making a quick payment even if they wanted to,” said John Gunn, chief marketing officer at VASCO, an Oakbrook Terrace, Illinois, cybersecurity firm.
Moreover, Gunn said, “ransomware works best against victims that want to avoid a disruption of their business and the economic losses associated with losing customers. Government agencies generally don’t lose customers regardless of the level of service provided.”
One security researcher said ordinary citizens should not feel bad if they get taken in.
“Even the best of us can be fooled by a specially crafted phishing campaign,” said Travis Smith, principal security researcher at Tripwire, a software company with headquarters in Portland, Oregon. “The next step is to ensure updates are installed in a timely manner, as malware often takes advantages of known vulnerabilities.”