ICS Alert: Utilities Targeted

Monday, April 23, 2012 @ 09:04 AM gHale

Social engineers are attempting highly targeted attacks against Industrial Control Systems at utilities.

The attacks are phishing phone calls coming from “Microsoft Server Department” and warning of infected PCs.

RELATED STORIES
Attack Vector: Phishing Real or Phony?
Tool to Counter Cyber Threats
Utilities Under Daily Attack
Security Firm Finds Attack Signs

The attacker attempts to have the utilities turn on services which would allow unauthorized remote access, according to a report from the U.S. Cyber Emergency Response Team (US-CERT) Control Systems Security Program (CSSP).

While phishing calls are nothing new, US-CERT found the events important enough to point out the “need for continued vigilance for everyone involved in critical infrastructure, particularly regarding recognition of social engineering attempts.”

The utilities received a call from a software company warning them their PCs had viruses and to “Please take the following steps so I can help you correct the problem.” The calls purported to be from the “Microsoft Server Department” informing the utilities they had a virus. It wasn’t really Microsoft calling, but rather an attacker, attempting to socially engineer the utilities to gain access to their systems.

The caller tried to convince the transmission managers to start certain services on their computer (likely, those services would have allowed unauthorized remote access). Fortunately, the transmission managers were on top of their game and recognized the social engineering attempts and refused to comply, and hung up.

US-CERT recommended organizations to keep an eye on any kind of phishing attacks.

Social engineers often send emails, hoping for a bite, or a link to click on, or a download to open. If an attacker can lure their target into visiting a maliciously crafted spoof site, then they may hope to deliver a drive-by-download. Social engineers also place calls, and in the guise of needing help or pretending to be someone in authority, can often persuade a person to divulge too much information about a company. However it is accomplished, social engineering is lethal to corporate America.

Earlier this year, US-CERT reported spoofed emails that falsely claimed to be from @US-CERT.GOV with a subject line containing: “Phishing incident report call number: PH000000XXXXXXX.” The fake US-CERT emails targeted federal, state and local government personal and had attachments labeled “US-CERT Operation Center Report XXXXXXX.zip.” The zip file contained the Zeus offshoot ‘Ice-IX’ that could “sidestep firewalls and other protective mechanisms” to steal banking credentials and other sensitive information by logging keystrokes.

Scams involving phishing phones calls purportedly coming from Microsoft tech support have been around for a long time. Whether such social engineering “Hi, I’m from Microsoft” phony phone calls are aimed at defrauding ICS, enterprise or individuals, here are a few tips. For starters, Microsoft does not make cold calls to offer tech support. Microsoft is not going to call you unless you specifically requested a call.

When you open a support case, provide information and your name if you ask for a return call for tech support. Microsoft will reference your support case with a support ID number and address you by name when calling.

“Our advice is simple; treat callers as you would treat strangers in the street – do not disclose personal or sensitive information to anyone you do not know,” a Microsoft spokesperson said.

“Unfortunately this is not the first scam of its kind, and it’s unlikely to be the last. The best way to avoid becoming a victim is by being aware of the threat. Consumers should also ensure the copy of Windows they are running is genuine and fully up to date, while ensuring they have installed legitimate software will guard against viruses, spyware, and other malicious software.”