The Internet has been a boon to the oil and gas industry along with enabling society in general. So much information is available with a mouse click or two. And that leaves the industry wide open for cyberattacks.

These types of attacks can take many forms. Jonathan Pollet, founder and executive director of Red Tiger Security, said that in one popular method, called “spearfishing,” attackers would map out top executives at oil and natural gas companies and send them a target email with either a link to a compromised website or a PDF file with a “dropper” embedded.

When the file was opened, it would drop a back door into the executive’s computer that would allow hackers to access information behind the firewall. Pollet said this type of attack was used against several pipeline companies in 2012.

But wait – there’s more. A newer and more efficient threat, called “water-holing,” makes the hackers’ lives much easier, because these executives now come to them.

“Water-holing is where the hacker finds out where these guys hang out on the Internet,” Pollet said. “Maybe they all go to the Society of Petroleum Engineers website, because that’s a good resource for them. Maybe there’s a LinkedIn group where oil and gas professionals congregate and share information. So that’s where these guys would go.”

Instead of focusing on an individual, attackers using the water-hole method focus on a group by setting up a compromised website and giving it the look and feel of an established website but with a slightly altered URL, or by exploiting vulnerabilities in a legitimate website and uploading their payload to the legitimate site. The attackers would then register themselves as members of the society or join the LinkedIn group.

“Then they’ll just lurk and watch traffic within the group,” Pollet said. “At the appropriate time, when their server is up and running, and when there’s a topic that a lot of people seem to be interested in, they will post a compromised PDF file up to their compromised server. They’ll make a post saying something like, ‘Hey, guys, I found this PDF really helpful. Check it out.’

“They’re hoping that with 4,000 or 5,000 members in the group, there’s a good chance that maybe 10% of them will click on this link. Now they’ve got a dropper behind 10 or 15 companies.”

Already several energy companies have been targeted. According to a blog on Cisco.com, at least six energy-related companies were targeted in 2013, including an oil and gas exploration company and several investment and capital firms that specialize in the energy sector. “Encounters with the iframe-injected web pages resulted from either direct browsing to the compromised sites or via seemingly legitimate and innocuous searches,” the blog noted.

Even governmental organizations are not immune to the threat. Threatpost.com reported that a U.S. Department of Labor website was compromised in 2013.

Pollet said that any site that has a group following is a potential target. “The people doing this are very skilled, and they are typically what are called ‘cyber mercenaries,’” he said. “They are typically hired under contract, and they get paid for the number of machines they’ve compromised in a specific sector.

“If an oil company wants to have a competitive advantage over other companies, they’ll pay more to have compromised machines from other oil and gas companies in their segment.”

These attacks are most likely to originate in countries in which hacking laws are lax or lacking. Pollet said that the governments of countries like Russia, North Korea, Syria, and China are more likely to look the other way than countries with strict anti-hacking laws. Hackers in countries with more stringent laws, he said, might have domain names registered in Russia or China to deflect attention. “You don’t really know where this activity is actually going on,” he said.

In spite of these threats, companies can make themselves less-likely targets. Pollet said that it is incumbent on every company with a web presence to ensure that their servers and applications are tested on a regular basis and that older, more vulnerable code is updated. Internet-facing servers should be tested routinely.

From a user standpoint, he said, it’s important to be aware of which links are being clicked. The easiest way to do this is to check the domain name before clicking. “Make sure that when you hover over a link with your mouse, the actual link is resolving to a domain name that looks appropriate for the material that you’re looking for,” he said. “Just taking that extra precaution is important.”

Companies also can help their employees be less susceptible by providing cyber-awareness programs. Even then; however, danger lurks.

“The more I’m in the industry, the more I’m seeing that no matter how much you train and no matter how much you tell people about this, there’s always a certain population of people that just don’t really get it,” Pollet said. “That’s what these guys are playing on. They’re hoping that the numbers work out in their favor, and that they get that last 10% of people that just aren’t cautious when using computers.”

To download a report about these types of threats, visit here.