April 16, 2013
A recent spear-phishing attack targeted 11 energy sector businesses in an effort to siphon information. This attack, while unsuccessful, shows the value of investing in email protection technologies.
Reported by Help-Net Security and initially identified by the ICS-CERT Monitor, the attacks were launched after a list of attendees at a committee meeting was published online. The list had work titles, company affiliations, email addresses and names of those who were attending – all the information attackers needed to unleash a spear-phishing campaign. According Help-Net, it is unknown whether these attacks were caught by the organization or sniffed out by suspicious recipients, but it said this shows how seemingly innocent information can be used to exploit human judgment.
"In order to reduce the likelihood of becoming a victim of spear-phishing attacks, minimize the business-related and personal information on social media Web sites," ICS-CERT said. "Business-related information could include job title, company email, organizational structure, and project names. If information exists on other websites, contact the website owner and ask that it be removed."
Avoid the spear
Jim Hansen of PhishMe, a company that offers training in an effort to avoid phishing efforts, told Network World that while regular email phishing is not typically sophisticated, spear phishing can appear to come from a friend, family member, work department or other area to essentially force people to click the link. He gave some tips for avoiding spear-phishing emails, including not easily falling for a phisherman who says he or she is someone else.
"Don't fall for what's being called the 'double-barreled phish,' in which you respond to the email with a question, such as 'Is this really my buddy Jim,'" he said. "Phishers are now clever enough to wait a while, in order to show that the response is not automated, and then reply with, 'Yes, it's me, Jim.'' Of course, it isn't Jim."
Other tips from Hansen include: