Since version 76 (current version is 80), Google Chrome no longer displays the “https” and subdomain “www” to users in the address bar. A “feature” that miscreants are taking advantage to compromise legitimate websites with credit card and login skimming malware. Unfortunately, a PLC vendor in Spain reportedly fell victim to this technique that enabled skimming code to be injected into its website. This recent scheme, as reported by journalist Brian Krebs, uses the domain “htt.ps” to trick users into thinking they are seeing the “https://” they have been taught to look for. The malicious “htt.ps” domain is believed to be hosted in Russia. Indeed, the skimming attack is not something that impacts ICS directly, but the targeting of an ICS component vendor could provide attackers with enough details to go spelunking to the domains of its customers. It is essentially a watering hole tactic. Compromise the “vendor” who takes orders for ICS components and voila, you have a new list of potential targets to attack, and/or sell the information to the highest-bidding threat actor/group (or someone who knows a group) with a focus on ICS attacks. Either way, the individuals who completed the purchasing at the compromised vendor make prime targets for follow up phishing attacks such as EAC (Email Account Compromise).
The concern is two-fold. Water and wastewater utilities that host or outsource e-commerce websites for customer payments must ensure hardening of e-commerce platforms to protect customers and their data. And for utilities that purchase online, train users to scrutinize URLs before doing anything sensitive, particularly when purchasing from third-party vendor sites, and to always be exceedingly cautious of any follow up emails from “said” vendors, especially emails directing change of any financial details.
Admittedly, WaterISAC does not know the purchasing practices of its members or the broader water sector, but if employees are using Google Chrome, may we suggest a security awareness special topic session on the risks mentioned above that could lead to a successful compromise. Likewise, prioritize the hardening of e-commerce platforms to protect your website and your online payment customers. Read the post and find suggested mitigation resources at KrebsOnSecurity