UPDATE: Added picture of email text
Digital Bond recently had a nice little spear phishing attempt, from an email account registered to look like Dale, to a Digital Bond employee. The attack linked to a probably-malicious .zip file based upon an old research paper that we published. There are no AV signatures for the payload. It was a one-shot deal: the nameserver for the domain used in the attack is located on a compromised box.
It’s a bit concerning that a company whose sole focus is securing industrial control systems should be spear phished. The attacker clearly went to enough trouble to try to understand ICS security lingo to get the employee to open the link, and had to compromise a DNS server. It is likely that the perpetrator also compromised a second server to serve up the malicious file goodness (the domain server is in Philadelphia, PA for the interested, and may or may not have hosted the malicious file as well). The DNS records have been updating constantly since we began investigating.
Thankfully the attack was unsuccessful — paranoia pays off. It is definitely a lesson in ‘be careful what you open’…even if looks to be coming from Digital Bond (or your boss, as in this case), don’t open a file if you aren’t expecting it…
DP Update – I added the email below. It is text I have written before and I believe the file title is from a paper that Daniel Peck and I wrote for S4 2009. The file that that was linked was a .zip. The only thing that was unbelievable was the signature of just “Peterson”.