Digital Bond

For Secure & Robust ICS

  • Home
  • Consulting
  • S4x18
    • S4x18 Call For Presentations
    • S4x18 Sponsor Packages
  • Dale Peterson
  • Hire Dale To Speak
  • Contact Us

Spear Phishing Attempt

June 7, 2012 by Reid W 10 Comments

Spear Phishing (image by Cleanplait)

UPDATE: Added picture of email text

Digital Bond recently had a nice little spear phishing attempt, from an email account registered to look like Dale, to a Digital Bond employee.  The attack linked to a probably-malicious .zip file based upon an old research paper that we published.  There are no AV signatures for the payload.  It was a one-shot deal: the nameserver for the domain used in the attack is located on a compromised box.

It’s a bit concerning that a company whose sole focus is securing industrial control systems should be spear phished.  The attacker clearly went to enough trouble to try to understand ICS security lingo to get the employee to open the link, and had to compromise a DNS server.  It is likely that the perpetrator also compromised a second server to serve up the malicious file goodness (the domain server is in Philadelphia, PA for the interested, and may or may not have hosted the malicious file as well).  The DNS records have been updating constantly since we began investigating.

Thankfully the attack was unsuccessful — paranoia pays off.  It is definitely a lesson in ‘be careful what you open’…even if looks to be coming from Digital Bond (or your boss, as in this case), don’t open a file if you aren’t expecting it…

DP Update – I added the email below. It is text I have written before and I believe the file title is from a paper that Daniel Peck and I wrote for S4 2009. The file that that was linked was a .zip. The only thing that was unbelievable was the signature of just “Peterson”.

Bad English

I used to point to this story on Spear Phishing from 2005.  In that story, West Point cadets were tested in their computer security course — the instructor spear phished his own students, pretending to be a non-existent superior officer.  Most of the students fell for the attack.  The high percentage of victims at West Point may not reflect private industry very well — these are military cadets taught that following orders is their number one priority.  I think that internal ‘fake spear phishing’ like the kind done at West Point is a great practice, but I have yet to encounter a company or .GOV organization that actually does it…

Image by cleanplait

Filed Under: Digital Bond Tagged With: Digital Bond, phishing, spear phishing

Comments

  1. Ron Southworth says

    June 7, 2012 at 22:54

    Hi Dale,

    I guess I am saying welcome to my nightmare… So far Dossing is the only success I have suffered no actual compromises of note.

    Goes to show your raised profile has got your site noticed. I had a similar experience – different MO about two months ago that was particularily of note.

    I do have close family in the USA that I never talk about in public or un trusted relationships and that was the basis of the well crafted and on the surface well designed attack. I think the good news is that they always seem to have some little defect that is in plain site that you can pick up on.

    BTW The SCADA mail list site has been hit so hard and often lately I’m kinda glad that it has a different data center to what it hads been before last year It is fairly bullet proof now from DOS/DDOS attacks.

    My domain cops so many targeted attacks that i’ve started a best attack of the week distribution to researchers.

    Lemme know if you want to be added to teh distribution list some are quite humerous.

  2. Justin Weddington says

    June 8, 2012 at 12:30

    Did you submit the payload to any AV vendors for analysis? I am interested in knowing what they come back with. If its a new strain or a variant of an existing strain.

  3. Dale G Peterson says

    June 9, 2012 at 13:13

    Hi Justin,

    No we did not, but we have no shortage of talent looking at it. There will be another article on Monday with more details on what it is and indicators on who it points to. The reason we are being so open with this info is we have been looking for a good ICS spear-phishing example to make a point, and unfortunately one fell into our lap.

    Owner/operators and vendors should realize that a motivated, directed attacker will try to compromise a SCADA/DCS admin or engineers corporate system with the hopes that that system is allowed into the control center. We actually had a paper on this for S4 2012, but it got pulled. Maybe in 2013.

    Reid did submit it to VirusTotal and most of the popular vendors you see in corporation (McAfee, Symantec, Trend, Kaspersky, F-Secure, …) did not detect it.

    Dale

  4. Justin Weddington says

    June 11, 2012 at 09:45

    Dale,

    Push the AV vendors hard with this one to detect it. I recently found a new strain of virus which none of the vendors on virus total detected. Sophos was the first to detect it, followed by Fortinet, then Norman. If I find a new strain I submit to them first. The .dll was encrypted and the run key looked like it specified a password. The properties of the file made it look like it was a legitimate Russian grammar engine. I was unable to determine the vector of attack in this case but was happy to get protection from Mcafee in the end.

    Thanks for being so open. Its scary to see how it used your name and ICS security terms.

    Signature’s arn’t cutting it anymore. Organizations need to focus on behavior based and whitelisting methods. Mikko hits the nail on the head in this article: http://www.wired.com/threatlevel/2012/06/internet-security-fail/

    Feel free to contact me if you need any additional help on the analysis.

  5. Justin Weddington says

    June 11, 2012 at 11:16

    I just saw the Ned Moran post. Great that the analysis was able to be done quickly.

  6. Scott Greaux says

    June 12, 2012 at 09:21

    Reid,

    You’ll be happy to hear that many organizations now include mock phishing exercises such as the one used by Mr. Pelgrin during his tenure as CISO for the State of New York. PhishMe customers have trained over 3.1 million employees across multiple industry verticals and government agencies using the unique Immersive Education Experience that mock phishing provides.

    Since PhishMe’s inception in 2008 we have found that immediately presenting engaging, bite-sized educational materials to those that fall “prey” has the desired effect of reducing human vulnerability to spear-phishing attacks. On an average, 58% of the employees of an organization are shown to be vulnerable during first-run mock phishing exercises. After several exercises customers are able to drive the susceptibility rate down to the single digit percentages.

    So, although you may not hear many organizations discussing their mock phishing exercises I hope you’ll find comfort in the fact that a growing number of Fortune 500 firms embrace the concept and have active mock phishing programs.

    PS – great work on the analysis and thanks for sharing the email

    Best,
    Scott Greaux

  7. David Ireland says

    October 2, 2012 at 19:51

    Look at the email addresses. It’s apparently from the boss’s yahoo account and sent to the employees yahoo account (via, er, gmail). What company sends its business communications out via yahoo?

  8. Justin Weddington says

    June 19, 2013 at 08:36

    So could a PRISM request have been made to monitor the email address dale.peterson111@yahoo.com to try and detect the parties involved?

    Could say an organization like ES-ISAC work with the NSA to get make these requests?

    Reading this article today make me think about remember when this event happened: http://www.washingtonpost.com/world/national-security/how-a-shared-e-mail-address-disrupted-plots-in-britain-and-us/2013/06/18/ebb023c4-d84b-11e2-a016-92547bf094cc_story.html

Trackbacks

  1. Hackers take aim at key US infrastructure – CNNMoney says:
    February 20, 2013 at 12:00

    […] “spear phishing” attempt last year. In that attack, a crafty cyberthief fashioned an email to Digital Bond employees that seemed to come from Petersen himself (see graphic at top). It contained a link that, if […]

  2. Hackers take aim at key U.S. infrastructure | Contracting Portal says:
    March 21, 2013 at 10:27

    […] “spear phishing” attempt last year. In that attack, a crafty cyberthief fashioned an email to Digital Bond employees that seemed to come from Petersen himself (see graphic at top). It contained a link that, if […]

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Subscribe to the S4 Events YouTube Channel

S4x18 Stats: 447 people from 25 countries
Thanks to all Attendees, Speakers & Sponsors

Follow S4 Events on Facebook

Tools & Talks

DNS Squatting and You

DNS Squatting and You

February 24, 2016 By Reid W 3 Comments

Basecamp for Serial Converters

Basecamp for Serial Converters

October 30, 2015 By Reid W 3 Comments

escar Asia

escar Asia

September 9, 2015 By Dale Peterson 1 Comment

Unsolicited Response Podcast: Cyber Insurance

Unsolicited Response Podcast: Cyber Insurance

August 27, 2015 By Dale Peterson 3 Comments

S4 Events Newsletter

Subscribe to our newsletter on leading / bleeding edge ICS cyber security information and S4 Events.

* indicates required
Email Format

Dale's Tweets

About Us

Digital Bond was founded in 1998 and performed our first control system security assessment in the year 2000. Over the last sixteen years we have helped many asset owners and vendors improve the security and reliability of their ICS, and our S4 events are an opportunity for technical experts and thought leaders to connect and move the ICS community forward.

Recent Comments

  • Chris on Koyo/Automation Direct Vulnerabilities
  • Brandon Workentin on The ICS Security Stories We Tell And Love
  • Joe Weiss on Insanely Crowded ICS Anomaly Detection Market
  • Stuart Bailey on Unsolicited Response Podcast Is Back … With John Matherly of Shodan
  • Chris Orr on Insanely Crowded ICS Anomaly Detection Market

Search….

Follow @digitalbond

Copyright © 2018 Digital Bond. - All Rights Reserved ·