SCADA Security: Phishing Season is Now Open

Friday, March 08, 2013

Eric Byres


Last week I received am email (shown further down on this page) purporting to be from the US Internal Revenue Service (IRS).


Phishing, like fishing, can be profitable. Image Credit: Fotopedia


Notice that the US Internal Revenue Service now uses Cyrillic script on its staff email addresses! And they use AOL as an email service, rather than (Is the US budget sequestration really hurting that badly? )


The third fun item is that the link you are supposed to click on ( actually resolves to


(Note to Prospect Realty – you might want to secure your web site a little better.)

Beware Industrial Security Pros: Phishing Season is Open

Obviously, this email is a phishing attack. The creators of the email want me to click on the fake IRS link. If I did, my browser would be directed to the Prospect Realty website they have hacked. There I would either see a page that looked like an IRS log-in page (so the crooks could steal any confidential corporate information I enter) or the site would try to download some nasty Java applet that would take over my computer (assuming I hadn’t patched Java recently).


This phishing attack is so crude and so obvious that it is funny.


But in another way, it isn’t funny at all.

Phishing is Profitable for Attackers

Attacks like this only continue if they make their creators money. And the criminals behind them have very simple and effective ways to determine if their attacks are effective. They launch the email and then count the number of suckers that click in the next few hours. If they don’t get any clicks, they try something different. If they get enough victims, they launch the attack again against a new list of email addresses.


Now I received this same phishing email multiple times over several days - which leads me to believe that it was effective for the bad guys. Poor sods were clicking on the links. And these aren’t just any poor sods. Remember that this email is addressed to employers – not grandma or grandpa. So the email is an attack on the accounting teams in corporations, a group one might hope is very computer savvy.


Not All Cyber Security Threats are Stuxnet Quality

So what is my point? In the SCADA and ICS world we worry a lot about highly sophisticated threats like Stuxnet attacking our companies. Yet it seems that completely amateurish attacks work too (remember Shamoon?). Crooks don’t need sophisticated teams of hackers to be successful in cybercrime. All they need are employees to be so poorly trained that they click on even the most obvious phishing email.


Industry has a long way to go to make both IT and SCADA systems truly secure. To get there, it will cost a lot of money. But it seems like there are a lot of baby steps that still aren’t being taken on the road to security. Maybe it is time to take another look at those.


Does your organization train employees to be wary of phishing attacks? Do you have any “phishing” stories to share?

Related Content to Download

White Paper: "Using ANSI/ISA-99 Standards to Improve Control System Security"


     Download this White Paper and learn about:




  • The ANSI/ISA-99 Zone and Security Model
  • A Real World Oil Refinery Example
  • Implementing Zones and Conduits with Industrial Security Appliances
  • Testing and Managing the Security Solution


Note: ANSI/ISA-99 Standards have recently been renamed ISA IEC 62443 Standards.


Cross-Posted from the Tofino Security Blog 

Possibly Related Articles:
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.