Utility companies have been warned not to share information such as email addresses on company websites, after a spear-phishing attack on an American electricity company. The attack used a published list of attendees at a committee meeting to target employees with a malware-infected phishing email. The company site had listed the email addresses and work titles of everyone at a meeting - which was enough information for cyber-criminals to craft a convincing-looking tailored attack directed at the company.
The list of attendees was used to send malicious emails to the group, informing them of a change of email address and asking them to click a link. The link contained malware. There were "at least 11" targets of the attack, which occurred in October 2012. The attack was thwarted, and was documented in this month’s Monitor report from the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
“This publicly available information gave the attacker the company knowledge necessary to target specific individuals,” said ICS-CERT’s report. “Publicly accessible information commonly found on social media, as well as professional organization and industry conference Web sites, is a recognized resource for attackers performing reconnaissance activities.”
“With this information, attackers can craft convincing spear phishing and have a higher likelihood of successfully convincing the targeted individual to click on the malicious link or attachment.”
Other recent ESET phishing stories, including advice on best security practice, can be found here.