DHS warns of spear-phishing campaign against energy companies

Attackers used information from company website to craft attacks

The Department of Homeland Security (DHS) has a warning for organizations that post a lot of business and personal information on public web pages and social media sites: Don't do it.

Phishers, the agency said in an alert this week, look for such information and use it to craft authentic looking emails aimed at fooling people in large organizations into opening and downloading things they shouldn't.

The alert was prompted by an incident last October in which 11 companies in the energy sector were targeted in a sophisticated spear-phishing campaign apparently aimed at breaching their network security.

The phishing campaign was made possible to a large extent by information posted publicly by an energy company listing attendees at a recent conference. The employee names, email addresses, organizational affiliations and work titles so helpfully posted by the company was used by spear-phishers to launch customized attacks against energy sector companies.

Malicious emails that appeared to be from one of the attendees were sent to others on the list informing them of a change in the sender's email address. Recipients were politely asked to click on an attached link that promptly took them to a site containing malware.

"Luckily no known infections or intrusions occurred," the DHS said in its alert. The alert did not specify whether the attack failed because of luck or because the energy companies had tools in place for detecting and removing the malware.

"Publicly accessibly information commonly found on social media, as well as professional organization and industry conference Web sites is a recognized resource for attackers performing reconnaissance activities," the DHS said in its latest edition of the Industrial Control Systems Computer Emergency Response Team (ICS-CERT) Monitor. Previous experience has shown that such information allows spear-phishers to craft more convincing, and more successful, campaigns.

Organizations that want to limit their exposure should consider minimizing the amount of data -- email addresses, titles, internal project names and organizational structure -- available online. "If information exists on other Web sites, contact the Web site owner and ask that it be removed," the agency urged.

As basic as the threat might sound, spear-phishing campaigns have proved to be a highly effective way for attackers to gain a foothold in enterprise networks in recent years.

Numerous organizations, including Sony, RSA Security, the Oak Ridge National Laboratories, Pacific Northwest National Laboratory (PNNL), Epsilon Interactive and several government agencies have been breached, often in spectacular fashion, as a result of spear-phishing campaigns.

Many of the attacks have been carefully planned and targeted at senior company executives and others with broad network access privileges. Often, all the attackers need is for one email recipient to fall for the scam and click on a malicious link or open a malicious attachment. Once inside the network, the attackers have been able to move around with at least the same level of access the compromised user had. Usually, they then use that access to open more doors and let more sophisticated malware into a network.

For instance, a massive data breach that exposed more than 3.5 million Social Security numbers at the South Carolina Department of Revenue and cost the state millions of dollars in breach notification and remediation costs, began after a single user clicked on an embedded link in a spear-phishing email.

Spear-phishing campaigns have been so successful, in fact, that there is an active underground market for email addresses and other personal data of senior corporate executives. Security vendor Webroot has a blog post today that reports on cybercriminals selling valid business card data of senior executives at numerous major companies, including Audi, Ralph Lauren, Coca-Cola, Bloomberg, Ralph Lauren and others.

The data was apparently obtained through valid business cards and included information on 508 executives of multinational firms based in Russia.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is jvijayan@computerworld.com.

See more by Jaikumar Vijayan on Computerworld.com.

Copyright © 2013 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)