Social engineering provides an effective means for attackers to gain access to systems.
While many social engineering attempts, such as those that we receive in our inbox every day in the form of spam and phishing emails, are easy for most to recognize, these attempts can also be highly targeted and conducted in a way that is much more difficult to detect. Phone-based social engineering attempts were recently experienced at two or more power distribution companies.
The utilities received a call from a representative of large software company – yes, that one that sold them the operating system on their computers – warning them that their PCs had viruses and to “Please take the following steps so I can help you correct the problem.”
The calls purported to be from the “Microsoft Server Department” informing the utilities that they had a virus. Of course, it wasn’t really Microsoft calling, but rather an attacker, attempting to socially engineer the utilities to gain access to their systems.
The caller tried to convince the transmission managers to start certain services on their computer (likely, those services would have allowed unauthorized remote access). Fortunately for the customers of those utilities, the transmission managers recognized the social engineering attempts, refused to comply, and hung up.
This event points out the need for continued vigilance for everyone involved in critical infrastructure, particularly regarding recognition of social engineering attempts. If you are unsure whether the request is legitimate, try to verify it by contacting the company directly.
Do not use contact information provided in a URL or link connected to the request; instead, check previous statements or go to the website directly for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group (http://www.antiphishing.org).
ICS-CERT recommends that organizations remind users to review US-CERT TIP Avoiding Social Engineering and Phishing Attacks to learn more about what to look out for and what to do if you have fallen victim to this.
If you have experienced something similar or think you have revealed sensitive information about your organization, ICS-CERT recommends reporting it to the appropriate people within the organization, including network administrators. They can be alert for any suspicious or unusual activity.
In addition, immediately change any passwords you might have revealed. If you used the same password for multiple resources, make sure to change it for each account, and do not use that password in the future. ICS-CERT also encourages reporting these incidents to ICS-CERT or your local ISAC’s for tracking and correlation.
ICS-CERT issued an alert on the US-CERT Secure Portal warning asset owners and operators of this observed activity. ICS-CERT often releases information pertaining to a wide variety of threats on the US-CERT Secure Portal as well as to the ICS-CERT public web page.
Asset owners and operators can request access to this vetted access portal by e-mailing ICS-CERT@dhs.gov.