A few weeks ago the UK Government issued a statement saying that they were determined to increase security and improve training and awareness of security issues to help prevent Cyber attacks, malware and phishing within the UK. This was my thoughts at the time. I now need to add to them.
The chancellor’s statement included this:
In addition, some cash will also go towards education and training of cybersecurity experts.
“If we want Britain to be the best place in the world to be a tech business then it is also crucial that Britain is a safe place to do the digital business,” the chancellor added.
“Trust in the internet and the infrastructure on which it relies is fundamental to our economic future.”
All well and good until it actually comes to putting it into practice. To start with the UK Government needs to put its own house in order very, very quickly before telling other organisations how to act or behave.
Just take a look at this email, that was received by a user on my server today. I have removed all identifiable info from the email, but just see how similar this is to phishing & malware spreading emails. A clear instruction from the email to click the link ( hidden ) inside an attached PDF file. What the hell are they thinking of. That is item 1 on security 101 training or awareness. Do not click unknown/ masked or hidden links. NEVER click links inside attachments.
Once you start to accept this type of email communication as genuine and acceptable, because it does come from a trusted UK Government department. then you automatically assume every similar type of email is also genuine and all the years of hard work in educating users in good internet and email behaviour is wasted.
Luckily this email and the attachment are genuine and legitimate and was sent to newly formed company. It is trivially easy to spoof UK Government emails and attachments like this to either perform phishing attacks and steal information or money or both. Or to spread malware. Phishers will routinely scan new listings at companies house and other similar Government bodies to find potential targets for spear phishing. When a new company is set up, there is a lot of paperwork and it is all too easy to be fooled by a spear phishing attack against you. To make it even worse, most UK Government departments / organisations / authorities don’t use much in the way of email authentication, making them a spammers /phishers paradise and easy to spoof the email@example.com email address. Some will use SPF, which can be fooled or bypassed but almost no Government departments use DKIM or DMARC which almost totally block spam, malware and phishing pretending to come from this sort of email address.
Original email looks like:
From: IPO <firstname.lastname@example.org>
Date: Mon 31/10/2016 18:31
Subject: Trade Mark Correspondence from the Intellectual Property Office (IPO) Trade Mark No: UK0000[redacted] Applicant Ref: [redacted]
Please read the attached letter which contains important information about your trade mark. To reply, use the ‘Please click here to reply’ hyperlink in the attached letter.
IMPORTANT:Do not reply to this email account as it is not monitored. Any emails sent to this address will not be treated as a reply to us and we will not process any correspondence sent to it.
Please help us improve our services by taking a few minutes to complete our satisfaction survey. www.ipo.gov.uk/satisfaction
Intellectual Property Office
Screenshot of PDF attachment:
The link behind the Click here to reply ( in this case) is a genuine link to a .gov.uk site but it is NOT HTTPS and it is hidden from immediate view. Both very bad practices. http://www.ipo.gov.uk/tm3s-online/Landing?hash=[redacted]