We’ve often reported that spear phishing is a favorite technique that attackers use to plant malware or otherwise gain unauthorized access to networks. Now the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which is part of the Department of Homeland Security, reports on a spear phishing campaign in which the attackers readily found their intended targets’ contact information on a public website. Geez, could we make it any easier for the bad guys?
The following is from the ICS-CERT Monitor newsletter from the first quarter of 2013:
A recent spear-phishing campaign started and ended in October 2012, using publicly available information from an electric utility’s Web site to customize an attack against members of the Energy Sector. Employee names, company email addresses, company affiliations, and work titles were found on the utility’s Web site on a page that listed the attendees at a recent committee meeting. This publicly available information gave the attacker the company knowledge necessary to target specific individuals within the electric sector.
Malicious emails were crafted informing the recipients of the sender’s new email address and asked them to click on the attached link. This link led to a site that contained malware. Another email with a malicious attachment may also have been associated with this campaign.
ICS-CERT reports that 11 entities were targeted and no known intrusions or infections were discovered following the campaign—this time. Next time – and there likely will be a next time – they might not be so fortunate.
The United States Computer Emergency Readiness Team provides the following tips to avoid becoming a victim of spear phishing:
- Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
- Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person's authority to have the information.
- Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
- Don't send sensitive information over the Internet before checking a website's security.
- Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
- If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group (http://www.antiphishing.org).
- Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic.
- Take advantage of any anti-phishing features offered by your email client and web browserI have one comment about that second to last point about installing AV software, firewalls and email filters. Definitely do install these defenses, but don’t count on them to catch everything. My recent post about the FireEye incident report where 89 million security events were detected after the traffic had safely passed through firewalls and other screening devices.
If you think you might have fallen for a phishing attack, follow advice from US-CERT on what to do next.