Corporate Phishing Scam Linked to Online Over-Sharing
CREDIT: Phishing attack image via Shutterstock
Social media sites and corporate websites are convenient places for companies to connect with customers and employees.
But according to a new Department of Homeland Security (DHS) alert, such sites are also a breeding ground for phishing scams.
The latest quarterly worksheet published by the DHS' Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) found that information published on a company website helped the scammers who recently conducted a spear-phishing campaign against 11 U.S. utility companies.
The scam, which began and ended in October 2012, used publicly available information in its malicious emails to employees of those companies, making it seem as if the messages came from friends or colleagues.
It's who you know
According to the DHS, the seeds of the phishing campaign were planted when an electrical utility used its website to post a list of attendees at an industry meeting.
The list offered up a wealth of information to scammers. Employee names, company email addresses, company affiliations and work titles were all publicly displayed.
The information let the attackers send emails specifically targeted to individuals within each company, probably by "spoofing" email messages to look as if they came from individuals who had been at the meeting.
Social media sites, especially the business-networking site LinkedIn, are also valuable resources for phishers.
Experts who gave a briefing at a recent security conference in San Francisco said the devastating hack into security-token-maker RSA's databases in March 2011 began when attackers used LinkedIn to identify four low-level employees who were likely to know one another.
The attackers then sent an email message with a malicious attachment to three employees, and spoofed the sender's address so that the message seemed to come from the fourth.
Lucky this time
In the more recent attack, some of the emails received by utility company employees included links to sites containing malware.
Another email with a malicious attachment may have been associated with the same campaign, the DHS report noted.
ICS-CERT investigated the phishing scam and found that no infections or intrusions had occurred.
However, the DHS warned that information posted on company websites and social media pages is a known resource for attackers performing reconnaissance activities.
To reduce the likelihood of becoming a victim of a spear-phishing attack, companies should keep sensitive personal and business-related information off publicly accessible sites, the DHS said.
Job titles, company email addresses, organizational structure, and project names might seem like harmless bits of information, especially when posted on LinkedIn.
However, they allow scammers to craft highly targeted deceptive emails, which are more likely to be opened than messages that are obviously spam.
In order to avoid such scams, employees should use caution when opening emails. Don't click on links or attachments contained in unsolicited emails. And if it seems suspicious, report it to your company's help desk.