DHS warns of spear-phishing campaign against energy companies
Attackers used information from company website to craft attacks
Computerworld - The Department of Homeland Security (DHS) has a warning for organizations that post a lot of business and personal information on public web pages and social media sites: Don't do it.
Phishers, the agency said in an alert this week, look for such information and use it to craft authentic looking emails aimed at fooling people in large organizations into opening and downloading things they shouldn't.
The alert was prompted by an incident last October in which 11 companies in the energy sector were targeted in a sophisticated spear-phishing campaign apparently aimed at breaching their network security.
The phishing campaign was made possible to a large extent by information posted publicly by an energy company listing attendees at a recent conference. The employee names, email addresses, organizational affiliations and work titles so helpfully posted by the company was used by spear-phishers to launch customized attacks against energy sector companies.
Malicious emails that appeared to be from one of the attendees were sent to others on the list informing them of a change in the sender's email address. Recipients were politely asked to click on an attached link that promptly took them to a site containing malware.
"Luckily no known infections or intrusions occurred," the DHS said in its alert. The alert did not specify whether the attack failed because of luck or because the energy companies had tools in place for detecting and removing the malware.
"Publicly accessibly information commonly found on social media, as well as professional organization and industry conference Web sites is a recognized resource for attackers performing reconnaissance activities," the DHS said in its latest edition of the Industrial Control Systems Computer Emergency Response Team (ICS-CERT) Monitor. Previous experience has shown that such information allows spear-phishers to craft more convincing, and more successful, campaigns.
Organizations that want to limit their exposure should consider minimizing the amount of data -- email addresses, titles, internal project names and organizational structure -- available online. "If information exists on other Web sites, contact the Web site owner and ask that it be removed," the agency urged.
As basic as the threat might sound, spear-phishing campaigns have proved to be a highly effective way for attackers to gain a foothold in enterprise networks in recent years.
Numerous organizations, including Sony, RSA Security, the Oak Ridge National Laboratories, Pacific Northwest National Laboratory (PNNL), Epsilon Interactive and several government agencies have been breached, often in spectacular fashion, as a result of spear-phishing campaigns.
Many of the attacks have been carefully planned and targeted at senior company executives and others with broad network access privileges. Often, all the attackers need is for one email recipient to fall for the scam and click on a malicious link or open a malicious attachment. Once inside the network, the attackers have been able to move around with at least the same level of access the compromised user had. Usually, they then use that access to open more doors and let more sophisticated malware into a network.
For instance, a massive data breach that exposed more than 3.5 million Social Security numbers at the South Carolina Department of Revenue and cost the state millions of dollars in breach notification and remediation costs, began after a single user clicked on an embedded link in a spear-phishing email.
Spear-phishing campaigns have been so successful, in fact, that there is an active underground market for email addresses and other personal data of senior corporate executives. Security vendor Webroot has a blog post today that reports on cybercriminals selling valid business card data of senior executives at numerous major companies, including Audi, Ralph Lauren, Coca-Cola, Bloomberg, Ralph Lauren and others.
The data was apparently obtained through valid business cards and included information on 508 executives of multinational firms based in Russia.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Is Your Big Data Solution Production-Ready? Read "Is Your Big Data Solution Production-Ready?" now, and discover best practices and actionable steps to implementing a production-ready big data solution.
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Malware and Vulnerabilities White Papers | Webcasts