The FBI has some advice for law firms: Be careful.
The agency recently issued a warning alerting firms that what may appear to be e-mails from clients or contacts could instead be from hackers trying to infiltrate law firm databases.
The FBI says it has “high confidence” that hackers are targeting legal and public relations firms.
“Opening a message will not directly compromise the system or network because the malicious payload lies in the attachment or linked domain,” the warning reads. “Infection occurs once someone opens the attachment or clicks the link, which launches a self-executing file and, through a variety of malicious processes, attempts to download another file.”
Warnings like this are not new, said Todd D. Thorson, Chief Information Officer at Milwaukee-based Quarles & Brady LLP (www.quarles.com).
But they have increased “tenfold” in the last few years, he said, and that has prompted the firm to be more proactive with security measures.
Thorson said Quarles has several “back-end” measures designed to identify threats, including two types of anti-virus software, but there is no guarantee that everything will be caught.
“I don’t feel we’ve been infected, but I don’t know,” he said.
It’s no surprise that law firms are being targeted, said Rohyt Belani, co-founder of the New York-based Intrepidus Group, an information security consulting and software company. “If I can get on a senior partner’s machine or the system administrator’s machine, I’ll get access to the keys to the kingdom for the entire network. A law firm is a place where a lot of sensitive data for different [companies] is collected.”
While most Internet users are savvy enough to ignore suspicious messages peddling Viagra or asking for bank or credit card information, Belani said, hackers craft messages aimed at specific targets.
“They’ll spend a lot of time on the firm’s Web site, LinkedIn and Facebook pages so they can learn as much as they can about the people who work there and their targets, where they live and their social life. Then they’ll craft a handful of e-mails for four people,” Belani said. “Maybe they know you attended a conference, so they’ll send you an e-mail that looks like it’s from the organizers.”
Thorson said one “phishing scam” targeted Intellectual Property lawyers at the firm. E-mails were disguised as important messages from the United States Patent and Trademark Office.
“We didn’t get hit, but I think the primary reason why other scams have worked is because attorneys are always concerned about compliance,” he said. “A successful phisher finds that hot button for a specific group and targets it.”
Belani cautioned users to be wary about opening attachments and clicking on links in e-mails.
“The first thing we do is train people to have a certain level of suspicion around e-mail,” he said. “We tell people don’t click on active links on e-mails. If you think your bank is sending you an e-mail with an offer, go to their Web site and log in. They’ll have the same offer on their site.”
In addition, Belani says, said should keep in mind that just because a legitimate-looking URL is spelled out in an e-mail doesn’t mean that clicking on it will take a user to that site.
“Just because it has Citibank in the URL doesn’t mean it takes you to Citibank.com. A URL like intranet.citibank. corpsecurity.com is not a real link to Citibank,” he warned.
Belani’s company has its corporate clients send out “phishing” messages to their own employees to make sure they know how to spot them. If employees click on suspicious links in the messages, it means they need more training, he said.
Thorson said the firm is debating the need to further educate lawyers on Internet etiquette.
“Obviously, if we determine that that those actions which have been historically successful start to fail us, we will adjust and have to arm twist attorneys into attending training or deploy additional software,” he said.