ICS-CERT Reports On Phishing Campaign Against 11 Energy Sector Companies

By | April 05, 2013

Posted in: Network Security Trends

A spear phishing campaign, seeking to leverage public information to ensnare its victims, was reportedly leveled against 11 different energy sector firms, according to a recent report.

The latest edition of the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) Monitor, a quarterly publication, said that information — employee names, email addresses, company affiliations and more — was available on an energy utility’s website and utilized to craft malicious emails informing the recipients of the senders’ new email address and asking potential victims to click on an attached link. The link would then deliver malware onto the network.

This real-life incident mimics a recent experiment conducted back in January by open-source intelligence expert Tyler Klinger of Critical Intelligence and Scott Greaux of PhishMe, which sent phony emails to three real-world gas and electric utilities. They found that 26 percent of employees that received the bogus attachment clicked on the link.

Luckily for these eleven energy sector companies, the real campaign — which began and ended last October — resulted in no known infections, according to ICS-CERT.

The agency recommends a common sense approach to avoiding these phishing schemes, suggesting users not click on attachments from unsolicited emails. They also ask that utilities and other critical infrastructure sector companies “minimize the amount of business-related and personal information — such as job title, company email and project names — on social media Web sites.”

In addition to the phishing campaign, ICS-CERT also reported on a number of watering hole attacks — which compromise legitimate websites with malware in an attempt to infect site visitors — that took advantage of two vulnerabilities, including a zero-day exploit affecting Microsoft IE versions 6, 7 and 8. This zero-day figured into the recent January watering hole attacks against the Council of Foreign Relations (CFR) website and the Capstone Turbine Company, according to the report.

According to ICS-CERT, numerous site visitors were infected as a result of this watering hole exploit. Since being informed, both websites removed the known malware and Microsoft issued a subsequent patch to remedy the vulnerability.

Coincidentally, the latest Microsoft Security Bulletin Advance Notification for April 2013 lists nine patches set to be released next Tuesday, including one IE exploit deemed “critical.”

You May Also Be Interested In: