09 Apr 2013

Massive Spear Phishing Attack Detected in US Energy Sector


A spear phishing attack carried against 11 US energy companies has been detected and downplayed, according to the US Department of Homeland Security and the ICS-CERT.

The attack used highly targeted messages, custom-tailored for individuals in the respective organizations and was possible because of oversharing of information on the web. According to the report, the individuals had names, work titles, company affiliations and email addresses published on a list of attendees at a committee meeting.

It is unknown whether the attack failed due to user awareness or due to intrusion detection systems at the network perimeter, but the incident is a reminder of the dangers of revealing job-related information on the web. Similar details and even more can be harvested from professional social networking sites, for instance.

“To reduce the likelihood of becoming a victim of spear-phishing attacks, minimize the business-related and personal information on social media Web sites," reads the statement by ICS-CERT. "Business-related information could include job title, company email, organizational structure, and project names. If information exists on other Web sites, contact the Web site owner and ask that it be removed."

For more details, read Spear-Phishing Attacks in the Cards for the Next Year and Americans Reveal their Employer or Occupation on Google+ published on our security blog hotforsecurity.com.