The revelation that the FBI sent a fake Associated Press story containing malware to a teenager suspected of making bomb threats has brought “spear phishing” back into the public consciousness. The technique, which combines malicious software with social cues tailored to the target, has been used by state and non-state actors to attack journalists and rights advocates, including the Committee to Protect Journalists. Spear phishing can be devastatingly effective, but there are simple steps journalists can take to protect their work, themselves, and their sources.
In the FBI incident, agents sent a fake AP story containing malware to the MySpace account of a suspect in Washington State. The case came to light on October 27 when Christopher Soghoian, principal technologist at the American Civil Liberties Union, tweeted that the digital rights organization Electronic Frontier Foundation (EFF) had obtained documents on the FBI operation. According to FBI Director James B. Comey, an agent also posed as an AP reporter as part of the ruse, which Comey called “proper and appropriate” in a letter to The New York Times. The teenage suspect was later arrested and convicted. Both the fake article and the malware had been prepared by the FBI, sparking strong protest from the AP,condemnation from CPJ, and concern from Congress.
In a similar incident, hackers calling themselves the Syrian Electronic Army took over the verified Twitter account of the AP on April 23, 2013, and published a tweet falsely claiming that President Obama had been injured in an explosion at the White House. Although the AP quickly regained control of its account, the tweet frayed nerves and caused the stock market to abruptly tumble.
Although spear phishing attacks on journalists and human rights workers have historically been easy to spot, security researchers have begun seeing attempts that reflect a higher degree of sophistication. The increasing use of social media by journalists makes it easier for information to be gathered that can be used to personalize an attack. The combined exploitation of technical and human vulnerabilities can catch even the savviest target off guard: in recent years, successful spear phishing attacks have been launched against The New York Times,Oak Ridge National Laboratory, Apple, and a system used by the White House Military Office for nuclear commands, among other targets.
Spear phishing differs from the common and often crude technique known as “phishing.” While phishing involves spoofing a source someone might trust as legitimate–a big bank, a news organization, or a government agency–spear phishing involves spoofing a source its target is likely to trust as legitimate.
“The sophistication of spear phishing attacks is often measured not in technical terms, but in sociological terms,” Peter Eckersley, Technology Projects Director at EFF, told CPJ. “The question is whether the author of the attack has done enough research about the target to plausibly impersonate a member of their social community.”
As shown by the FBI case, spear phishing remains a popular attack. However, it is facing competition from more dangerous tools including network-injection appliances. These devices can infect a computer with malware without the user having to do anything out of the ordinary–even watching a YouTube video or reading a reputable site can facilitate a successful attack.
Although the FBI downplayed the significance of it impersonating the AP, its actions put journalists’ safety at risk by compromising the integrity and independence of the news media. And malware directly targeting the press raises more immediate dangers. “The best advice is not to let it happen in the first place,” CPJ senior adviser for journalist security Frank Smyth wrote in the wake of the AP Twitter hack.
Chuck Lustig, deputy executive director of operations at Human Rights Watch (HRW), told CPJ the easiest way “to defend against such attacks is staff education and staff awareness.” Lustig, the former director of foreign news coverage at ABC, now has responsibility for protecting HRW against computer-based attacks. By educating its staff, Lustig says, HRW protects the security of the organization as a whole. “I think one of the things that staff understand now is that they could be the weak link, and no one wants to be that weak link.”
For large organizations and individual reporters alike, the best preventative measure is to think about information security as a process. Journalists can significantly reduce their exposure to a spear phishing attack by combining vigilance with a few simple measures.
It is crucial to keep operating systems up-to-date, Eckersley said. This is true regardless of what machine is being used. (Eckersley notes that Apple users may be especially prone to a “false sense of security,” and that the exploitation of some previously unidentified vulnerabilities–known as “zero-day” attacks–might be more difficult in a Windows environment.)
When reviewing a message, it is important to always look at what account it came from. Be mindful of misspellings, and never click on a file or link from an unknown source. With websites that require users to log in, Morgan Marquis-Boire, a senior researcher at the University of Toronto’s Citizen Lab, told CPJ he advises people to “Always, always, always check the URL” to ensure it is correct and utilizes the HTTP Secure protocol, which begins with “HTTPS” rather than “HTTP.”
Hackers are tricky, of course, and even a URL that appears trustworthy may not be. It appears the AP Twitter hack was accomplished by disguising a malicious URL as a familiar one. But the AP hack might have been avoided if the target had taken a moment to check the link’s true destination by hovering the mouse cursor over the link before clicking. (Go ahead, try it, then click: https://www.google.com. And don’t worry, the link is not malicious.)
Other technical protections are also available. Following the AP hack, Twitter fielded a two-step authentication, which provides an extra layer of security for login information. Other companies such as Google, Facebook, WordPress, LinkedIn and Dropbox also offer this feature. Take advantage of it.
Finally, it is as important for journalists to craft strong passwords. Although using one won’t save you from a spear phishing attempt, such an attack is unnecessary if a password can be discovered by password-cracking software. Creating a password that is easy to remember but hard for a computer to crack is simple. Once a strong master password has been created, a password manager can be used to create and store strong, unique passwords for each site requiring a log in.
Journalists are busy, and taking the time to think through these extra steps can be a pain. But as Eckersley notes, tailored attacks are not limited to large organizations. And for many journalists, an attack that uses the same techniques as those used against the AP could come at a much steeper cost: a source’s trust, freedom–even their life.
So pause, and consider, before you click.
San Francisco-based CPJ Internet Advocacy Coordinator Geoffrey King works to protect the digital rights of journalists worldwide. A constitutional lawyer by training, King also teaches courses on digital privacy law, as well as the intersection of media and social change, both at UC Berkeley. Follow him on Twitter at @CPJInternet. His public GPG encryption key can be found here.