DHS warns of spear-phishing campaign against energy companies
Attackers used information from company website to craft attacks
Computerworld - The Department of Homeland Security (DHS) has a warning for organizations that post a lot of business and personal information on public web pages and social media sites: Don't do it.
Phishers, the agency said in an alert this week, look for such information and use it to craft authentic looking emails aimed at fooling people in large organizations into opening and downloading things they shouldn't.
The alert was prompted by an incident last October in which 11 companies in the energy sector were targeted in a sophisticated spear-phishing campaign apparently aimed at breaching their network security.
The phishing campaign was made possible to a large extent by information posted publicly by an energy company listing attendees at a recent conference. The employee names, email addresses, organizational affiliations and work titles so helpfully posted by the company was used by spear-phishers to launch customized attacks against energy sector companies.
Malicious emails that appeared to be from one of the attendees were sent to others on the list informing them of a change in the sender's email address. Recipients were politely asked to click on an attached link that promptly took them to a site containing malware.
"Luckily no known infections or intrusions occurred," the DHS said in its alert. The alert did not specify whether the attack failed because of luck or because the energy companies had tools in place for detecting and removing the malware.
"Publicly accessibly information commonly found on social media, as well as professional organization and industry conference Web sites is a recognized resource for attackers performing reconnaissance activities," the DHS said in its latest edition of the Industrial Control Systems Computer Emergency Response Team (ICS-CERT) Monitor. Previous experience has shown that such information allows spear-phishers to craft more convincing, and more successful, campaigns.
Organizations that want to limit their exposure should consider minimizing the amount of data -- email addresses, titles, internal project names and organizational structure -- available online. "If information exists on other Web sites, contact the Web site owner and ask that it be removed," the agency urged.
As basic as the threat might sound, spear-phishing campaigns have proved to be a highly effective way for attackers to gain a foothold in enterprise networks in recent years.
Numerous organizations, including Sony, RSA Security, the Oak Ridge National Laboratories, Pacific Northwest National Laboratory (PNNL), Epsilon Interactive and several government agencies have been breached, often in spectacular fashion, as a result of spear-phishing campaigns.
Many of the attacks have been carefully planned and targeted at senior company executives and others with broad network access privileges. Often, all the attackers need is for one email recipient to fall for the scam and click on a malicious link or open a malicious attachment. Once inside the network, the attackers have been able to move around with at least the same level of access the compromised user had. Usually, they then use that access to open more doors and let more sophisticated malware into a network.
For instance, a massive data breach that exposed more than 3.5 million Social Security numbers at the South Carolina Department of Revenue and cost the state millions of dollars in breach notification and remediation costs, began after a single user clicked on an embedded link in a spear-phishing email.
Spear-phishing campaigns have been so successful, in fact, that there is an active underground market for email addresses and other personal data of senior corporate executives. Security vendor Webroot has a blog post today that reports on cybercriminals selling valid business card data of senior executives at numerous major companies, including Audi, Ralph Lauren, Coca-Cola, Bloomberg, Ralph Lauren and others.
The data was apparently obtained through valid business cards and included information on 508 executives of multinational firms based in Russia.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts