Spear Phishing (image by Cleanplait)

UPDATE: Added picture of email text

Digital Bond recently had a nice little spear phishing attempt, from an email account registered to look like Dale, to a Digital Bond employee.  The attack linked to a probably-malicious .zip file based upon an old research paper that we published.  There are no AV signatures for the payload.  It was a one-shot deal: the nameserver for the domain used in the attack is located on a compromised box.

It’s a bit concerning that a company whose sole focus is securing industrial control systems should be spear phished.  The attacker clearly went to enough trouble to try to understand ICS security lingo to get the employee to open the link, and had to compromise a DNS server.  It is likely that the perpetrator also compromised a second server to serve up the malicious file goodness (the domain server is in Philadelphia, PA for the interested, and may or may not have hosted the malicious file as well).  The DNS records have been updating constantly since we began investigating.

Thankfully the attack was unsuccessful — paranoia pays off.  It is definitely a lesson in ‘be careful what you open’…even if looks to be coming from Digital Bond (or your boss, as in this case), don’t open a file if you aren’t expecting it…

DP Update – I added the email below. It is text I have written before and I believe the file title is from a paper that Daniel Peck and I wrote for S4 2009. The file that that was linked was a .zip. The only thing that was unbelievable was the signature of just “Peterson”.

Bad English

I used to point to this story on Spear Phishing from 2005.  In that story, West Point cadets were tested in their computer security course — the instructor spear phished his own students, pretending to be a non-existent superior officer.  Most of the students fell for the attack.  The high percentage of victims at West Point may not reflect private industry very well — these are military cadets taught that following orders is their number one priority.  I think that internal ‘fake spear phishing’ like the kind done at West Point is a great practice, but I have yet to encounter a company or .GOV organization that actually does it…

Image by cleanplait