1(630)802-8605 Ravi.das@bn-inc.net

We all know, and I as have written about, Phishing E-mail attacks are probably amongst the oldest, yet most tried and true techniques of launching a massive Cyber attack these days.  Even with all of the advanced spam filters, technology and so forth, the Cyber attacker of today is still having their way of getting their malicious E-Mails into our inbox, and somehow, still coaxing us that it is the real thing.

The perfect of this example happening just happened a few days ago, with the State of Oregon.  Apparently, an employee clicked on a Phishing E-mail (not sure whether it was a malicious link or an attachment).  After this occurred, this had left a huge, covert hole in which the Cyber attacker could literally seize this employee’s computer and use it as a so called “Zombie”.

From this point onwards, this “Zombie” computer could then be used to launch a Botnet style attack in which hundreds upon hundreds of other computers could be infected all at the same time, literally seconds apart from one another.  This is also what exactly happened as well, and the entire State of Oregon’s IT Infrastructure and computing systems were hit with over 8,000,000 spam E-Mail messages.

This not only triggered other state employees from clicking on this E-Mail and creating further havoc as a result, but it also brought the servers down as well, literally choking them off to the point where they could barely process any requests from the state employees or other people trying to get other information or public services from the state computing systems.

But, here is the worst part that happened:  The e-mail domain of Oregon.gov has been blacklisted by many major E-Mail Providers and Internet Service Providers, including the likes of MSN, Hotmail, Gmail, Ymail, Google, Yahoo, Outlook, etc.  What this simply means is that the state employees cannot use their work E-Mail addresses in which to communicate with others, either internally or with the public.

The Technology Department at the State of Oregon is of course scrambling at this very moment to get this issue fixed and the domain unblack listed, so that matters of the state and other business can continue.  Because of this, the Department of Administrative Services (DAS) has asked the state employees to use their personal e-mail addresses or other alternative means in which to conduct their work and communicate with others.

OK, so this is what I don’t quite understand.  Why would the state employees use their own E-Mail addresses?  I get the urgency in which to get work done so that there is not a state government shut down or anything like that, but by using personal E-Mail addresses this is just yet another way for another large-scale Phishing attack from starting up yet again.

The primary reason for this is that Cyber attackers are notorious for hacking into personal E-Mail accounts and getting access to the address book, and from there using that contact information in order to create other E-Mail messages that look just as genuine, but yet make them malicious in nature as well.

So, the way I see it is that hardly one major problem will eventually get resolved then a new one will probably start again, in a never-ending cascading style of Cyber-attacks.

Perhaps the best thing to do for the State of Oregon would be to perhaps suspend all non-critical government functionalities until the Oregon.gov gets off the blacklist.  Or another option would down the road is for the state to create their own database of alternative E-Mail addresses which can be activated on an emergency basis if this were to ever happen again (and hopefully not!!!).

Another side effect of this fiasco is what is known as a “Supply Chain” type of attack. It can be best explained with this quote: “Attackers love to steal users’ email log-in credentials from organizations such as the state of Oregon as this access can be used to quickly pivot the attack to breach other organizations that regularly do business with the state.”  (SOURCE:  https://cyware.com/news/oregongov-domain-gets-blacklisted-after-another-government-employee-falls-for-phishing-email-3d941f37).

What this means that other business entities, nonprofits, external government agencies, etc. are also all at risk for having their E-Mail address books and/or fall victim to a large-scale Phishing attack like what happened here.  So, these organizations need to be cognizant as well of what transpired, and to have their guard up as well, and probably even at higher levels.

But, this whole story brings up yet another critical issue of the after effects of a large-scale Phishing attack that a business entity may experience.  Sure, the first priority is to recover operations as quickly as possible, find out what the damage has been, mitigate it, and then determine ow this whole thing happened.  But, it never occurred to me that a domain name could be blacklisted in this manner.

I used to work for a company doing lead generation, and lo and behold, their domain name got blacklisted as well.  We suffered some downtime, had some unpaid time off for a couple of days, but fortunately were able to get un blacklisted very quickly.

Thus, it is very important for a business or a corporation to put into their Phishing Incident Response Playbook contingency plans of the possibilities of getting their business domain black listed.

Getting un blacklisted can be a very time consuming and very frustrating task, and this could even take more time to accomplish than resuming normal business operations after a Phishing Attack has occurred.  So, business owners, take heed of what has happened to the State of Oregon, and make sure that you put this in your Disaster Recovery plans as well.