by Andrew Hildick-Smith

Attention: If the EPA or your primacy agency asks you to validate your basic Public Water Supply (PWS) system information, look extremely closely to the email and validate/verify the request is legitimate BEFORE you respond. Please view the attachment for screenshots of the actual phishing messages so you can spot and report similar scams.

What Happened?

In July, a transient non-community PWS in Massachusetts received an email purporting to be from the Massachusetts Department of Environmental Protection, asking them to kindly verify their PWS information as listed in the email. The email request was crafted well and looked very official. The data included in the phish was legitimate, as it was most likely scraped directly from the internet during the threat actor’s reconnaissance. However, two facets of the messages were giveaways that this was a phishing email:

• The email source of, “Laura Peach <peach_laura@outlook.com>", is not an address the Mass DEP is likely to use and,
• The “Click here for information confirmation and update.” bar, displayed an odd destination URL when you hovered your mouse cursor over the original.

If someone clicked on the aforementioned URL – even accidentally – they were presented with a fake login page designed to steal credentials. In this case, the adversary asks you to “verify” your email password so they can steal the information to use against your utility or to sell it to another group with the same intention to start an attack sequence that might further lead to a cyber incident like ransomware or a business email compromise (BEC).

Fortunately, similar to the email, the recipient is given another opportunity on the fake login page to spot this as a scam, as the logo represents a government transportation agency in New South Wales, Australia – not likely to be familiar to a public water supply in Massachusetts.

Back Again One Month Later

In August, more variations of the previously described campaign were detected. This time the email went to a community PWS. In the new campaign, the Massachusetts DEP logo was changed to a state seal and some of the wording and data fields were changed, but with the same intent to trick a water utility to think that their state primacy agency wants them to confirm their data and, in the process, collect passwords for nefarious intent.

Like the prior month, the August version also contains a non-standard/non-business email source and an odd link associated with the “Click Here to Verify or Update you Information” bar that would hopefully be recognized as not official. Additionally, the destination (phishing) page includes another red flag for someone in Massachusetts, purporting to be the “City of Evansville, Indiana.”

Lessons Learned

• Share Information on Threats. In these two cases, the Massachusetts DEP quickly sent out a broadcast alert to all public water supply systems warning them of the phishing attempt.
• Open-Source Intelligence (OSINT).  There is a lot of information on the internet about our water systems. Get familiar with what is out there. In some cases, you can work to remove detailed and sensitive information. It takes time and persistence, but it is possible. In other cases, like this one, the information is intentionally part of the public record for citizens. We just need to be aware of this class of data, so we are not fooled into trusting whoever has it because we believe only privileged sources have access to it.
• Practice Phishing Drills. Part of every utility’s cybersecurity awareness training should include regular phishing drills for staff. One free source is through the Cybersecurity Infrastructure Security Agency (CISA) and their cyber hygiene program.
• Not Sure, Call. If you are not sure that the source of an email is legitimate, call them through previously established phone numbers to confirm the request’s validity.
• Fall for a Phish, Contact Your IT Group. If you realize after the fact that you fell for a phishing email, or you think you might have, call your information technology group to find out what to do. Everyone except the attacker, will be glad you did.

Please view the attachment for screenshots of the actual phishing messages so you can spot and report similar scams.