April 05, 2013, 4:27 PM — The Department of Homeland Security (DHS) has a warning for organizations that post a lot of business and personal information on public web pages and social media sites: Don't do it.
Phishers, the agency said in an alert this week, look for such information and use it to craft authentic looking emails aimed at fooling people in large organizations into opening and downloading things they shouldn't.
The alert was prompted by an incident last October in which 11 companies in the energy sector were targeted in a sophisticated spear-phishing campaign apparently aimed at breaching their network security.
The phishing campaign was made possible to a large extent by information posted publicly by an energy company listing attendees at a recent conference. The employee names, email addresses, organizational affiliations and work titles so helpfully posted by the company was used by spear-phishers to launch customized attacks against energy sector companies.
Malicious emails that appeared to be from one of the attendees were sent to others on the list informing them of a change in the sender's email address. Recipients were politely asked to click on an attached link that promptly took them to a site containing malware.
"Luckily no known infections or intrusions occurred," the DHS said in its alert. The alert did not specify whether the attack failed because of luck or because the energy companies had tools in place for detecting and removing the malware.
"Publicly accessibly information commonly found on social media, as well as professional organization and industry conference Web sites is a recognized resource for attackers performing reconnaissance activities," the DHS said in its latest edition of the Industrial Control Systems Computer Emergency Response Team (ICS-CERT) Monitor. Previous experience has shown that such information allows spear-phishers to craft more convincing, and more successful, campaigns.
Organizations that want to limit their exposure should consider minimizing the amount of data -- email addresses, titles, internal project names and organizational structure -- available online. "If information exists on other Web sites, contact the Web site owner and ask that it be removed," the agency urged.
As basic as the threat might sound, spear-phishing campaigns have proved to be a highly effective way for attackers to gain a foothold in enterprise networks in recent years.
Numerous organizations, including Sony, RSA Security, the Oak Ridge National Laboratories, Pacific Northwest National Laboratory (PNNL), Epsilon Interactive and several government agencies have been breached, often in spectacular fashion, as a result of spear-phishing campaigns.