Editor’s Note: This is an excerpt from the Practical SCADA Security blog at Tofino Security.
By Eric Byres
Last week I received an email purporting to be from the U.S. Internal Revenue Service (IRS).
Notice the U.S. Internal Revenue Service now uses Cyrillic script on its staff email addresses! And they use AOL as an email service, rather than irs.gov. (Is the U.S. budget sequestration really hurting that badly?
The third fun item is that the link you are supposed to click on (irs.gov/pub/irs-pdf/forms2012/) actually resolves to prospectrealty.net/wp-content/plugins/Bridge-Book-Printer/forms.htm. (Note to Prospect Realty – you might want to secure your web site a little better.)
Obviously, this email is a phishing attack. The creators of the email want me to click on the fake IRS link. If I did, my browser would be directed to the Prospect Realty website they have hacked. There I would either see a page that looked like an IRS log-in page (so the crooks could steal any confidential corporate information I enter) or the site would try to download some nasty Java applet that would take over my computer (assuming I hadn’t patched Java recently).
This phishing attack is so crude and so obvious that it is funny.
But in another way, it isn’t funny at all.
Attacks like this only continue if they make their creators money. And the criminals behind them have very simple and effective ways to determine if their attacks are effective. They launch the email and then count the number of suckers that click in the next few hours. If they don’t get any clicks, they try something different. If they get enough victims, they launch the attack again against a new list of email addresses.
Now I received this same phishing email multiple times over several days – which leads me to believe that it was effective for the bad guys. Poor sods were clicking on the links. And these aren’t just any poor sods. Remember that this email is addressed to employers – not grandma or grandpa. So the email is an attack on the accounting teams in corporations, a group one might hope is very computer savvy.
So what is my point? In the SCADA and ICS world we worry a lot about highly sophisticated threats like Stuxnet attacking our companies. Yet it seems that completely amateurish attacks work too (remember Shamoon?). Crooks don’t need sophisticated teams of hackers to be successful in cybercrime. All they need are employees to be so poorly trained that they click on even the most obvious phishing email.
Industry has a long way to go to make IT and SCADA systems truly secure. To get there, it will cost a lot of money. But it seems like there are a lot of baby steps that still aren’t being taken on the road to security. Maybe it is time to take another look at those.
Eric Byres is vice president and chief technology officer at Tofino Security. Click here to read the full version of the Practical SCADA Security blog.