The Berkeley Lab Cyber Security group reports a new variety of social engineered phishing scams. In this new variety, attackers impersonate the name of real Lab staff or colleagues, including senior leaders and supervisors. The attackers use public websites to determine relationships and impersonate people you actually know, such as your supervisor, colleagues, collaborators, or senior leaders. Continue reading to view recent examples and tips for recognizing and reporting incidents.
In the first example, a Lab employee reported suspicious emails from a fake, non-lbl.gov email address <firstname.lastname@example.org> pretending to be Kristin Persson, Foundry Director. The recipient may be more inclined to respond without validating the sender if the request is time-sensitive and originates from an apparent supervisor or manager. Notable is the attacker using Kristin’s signature to make the message appear legitimate.
From: Kristin Persson <email@example.com> Date: Tue, Feb 1, 2022 at 8:09 AM Subject: Task To: <redacted> I need you to run a quick task, let me know if you’re unoccupied. Thanks, Kristin Persson --- Kristin A Persson Director of the Molecular Foundry Professor in Materials Science and Engineering University of California at Berkeley Faculty Senior Scientist Lawrence Berkeley National Laboratory Director of the Materials Project
The second example shows external contacts and colleagues may also be a source or target of social engineered phishing. In the Earth and Environmental Sciences Area, Associate Laboratory Director Susan Hubbard reported an incident forwarded to her by a colleague. The attacker sent an email from an unknown, non-lbl.gov email address <firstname.lastname@example.org> using the correct names, role information, and relevant subject line. The attacker offered an excuse for why they can’t talk on the phone, which is a common tactic to keep the victim from discovering the scam since it won’t be Susan on the phone.
From: Susan S. Hubbard <email@example.com> Date: Tuesday, February 8, 2022 7:19 AM Subject: Atmospheric and Hydrospheric Sciences (W) To: <redacted> Hello Scott Are you available to assist? We will voted to donate to the Veterans Association made on behalf of Atmospheric and Hydrospheric Sciences (W) to support them with preventive items from Corona Disease (COVID 19) I would have called your phone but i am out of town and completely unavailable by phone (voice) but I can receive emails. Let me know if you need more information. Thank you, Susan S. Hubbard Chair Atmospheric and Hydrospheric Sciences (W) Susan Hubbard Associate Lab Director, Earth & Environmental Sciences Area Lawrence Berkeley National Laboratory Adj. Professor, Environmental Science, Policy and Management
Members of the Strategic Communications office received unusual requests from an unknown number pretending to be John German, Chief Communications Officer.
Notice again the tactic to avoid a voice call, where the victim would soon discover the voice is not John German on the other end.
In the current version of this attack, the malicious actors appear to have a common goal, that is to trick you into buying gift cards. The example below is a verbatim reply from the attacker if you engage one of the phishing attacks.
"Thank you <redacted> The specific cards I needed you to purchase should be either Walmart or eBay or Target or Amazon gift cards $100 x 5pcs which total is $500 for the donation pledged to Veterans at Hospice & Palliative Care. I will be liable for reimbursement. You can get them at most CVS, Walgreen's Store or other Convenience Stores. Due to the time frame. I'll be very happy if you can get them today. E-mail me immediately if you buy them for proper instructions. Let me know if a check will be fine for reimbursement. Thank you."
Berkeley Lab Cyber Security group believes it is important to understand the attackers’ goal since this attack is likely to evolve going forward, but the goal will remain the same. If you experience any sort of email or SMS communication that ends with someone asking you to buy gift cards, it is a scam that should be reported to firstname.lastname@example.org.
The best defense for these attacks is to be aware of the methodology, remain vigilant, and report anything suspicious. Below are a few tips to help protect the Lab from scammers:
- Do not engage with unexpected messages from unknown email addresses, especially with words like “Urgent” or “Response Needed.”
- Take time to validate the identity of the sender outside of electronic communications, e.g., via voice, Zoom, or in-person when safe to do so.
- Do not engage with emails requesting or soliciting monetary transactions.
- Nobody at the Lab will ever ask you to buy gift cards.
- Mark the message as Spam in Gmail.
- Stay up to date with Cyber Security Training requirements.