According to an account in the latest edition of the ICS-CERT Monitor, a (luckily unsuccessful) spear-phishing campaign has recently been launched against 11 companies in the energy sector after a list of the attendees at a committee meeting has been published on the utility's website.
The list contained the names, work titles, company affiliations and email addresses of the attendees, and that was all the attackers needed. Impersonating one of the people on the list, they sent a specially crafted email to the rest notifying them about a change of the sender's email address and asking them to click on the attached link to a websites serving malware.
The report does not say whether the attacks were unsuccessful because the targeted email recipients recognized the spear-phishing emails for what they were, whether the emails were caught by the organizations' defenses, or whether it was pure luck that the recipients didn't follow the malicious instructions.
Still, the example illustrates perfectly how seemingly innocuous information can be effectively used to mount attacks.
"In order to reduce the likelihood of becoming a victim of spear-phishing attacks, minimize the business-related and personal information on social media Web sites," ICS-CERT advises. "Business-related information could include job title, company email, organizational structure, and project names. If information exists on other Web sites, contact the Web site owner and ask that it be removed."
Spear-phishing has become the preferred initial step of attackers looking to gain a foothold into an organization, as it targets the weakest link in most security chains: the human.