Spear-phishing emails targeting energy companies
Posted on 08 April 2013.
Information over-sharing can lead to cleverly executed and dangerous spear-phishing campaigns, warns the US Department of Homeland Security and the ICS-CERT.


According to an account in the latest edition of the ICS-CERT Monitor, a (luckily unsuccessful) spear-phishing campaign has recently been launched against 11 companies in the energy sector after a list of the attendees at a committee meeting has been published on the utility's website.

The list contained the names, work titles, company affiliations and email addresses of the attendees, and that was all the attackers needed. Impersonating one of the people on the list, they sent a specially crafted email to the rest notifying them about a change of the sender's email address and asking them to click on the attached link to a websites serving malware.

The report does not say whether the attacks were unsuccessful because the targeted email recipients recognized the spear-phishing emails for what they were, whether the emails were caught by the organizations' defenses, or whether it was pure luck that the recipients didn't follow the malicious instructions.

Still, the example illustrates perfectly how seemingly innocuous information can be effectively used to mount attacks.

"In order to reduce the likelihood of becoming a victim of spear-phishing attacks, minimize the business-related and personal information on social media Web sites," ICS-CERT advises. "Business-related information could include job title, company email, organizational structure, and project names. If information exists on other Web sites, contact the Web site owner and ask that it be removed."

Spear-phishing has become the preferred initial step of attackers looking to gain a foothold into an organization, as it targets the weakest link in most security chains: the human.









Spotlight

Hackers indicted for stealing Apache helicopter training software

Posted on 1 October 2014.  |  Members of a computer hacking ring have been charged with breaking into computer networks of prominent technology companies and the US Army and stealing more than $100 million in intellectual property and other proprietary data.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Wed, Oct 1st
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //