CyberheistNews Vol 13 #08  |   February 21st, 2023

[Heads Up] Reddit Is the Latest Victim of a Spear Phishing Attack Resulting in a Data Breach

There is a lot to learn from Reddit’s recent data breach, which was the result of an employee falling for a “sophisticated and highly-targeted” spear phishing attack.

I spend a lot of time talking about phishing attacks and the specifics that closely surround that pivotal action taken by the user once they are duped into believing the phishing email was legitimate.

However, there are additional details about the attack we can analyze to see what kind of access the attacker was able to garner from this attack. But first, here are the basics:

According to Reddit, an attacker set up a website that impersonated the company’s intranet gateway, then sent targeted phishing emails to Reddit employees. The site was designed to steal credentials and two-factor authentication tokens.

There are only a few details from the breach, but the notification does mention that the threat actor was able to access “some internal docs, code, as well as some internal dashboards and business systems.”

Since the notice does imply that only a single employee fell victim, we have to make a few assumptions about this attack:

The attacker had some knowledge of Reddit’s internal workings – The fact that the attacker can spoof an intranet gateway shows they had some familiarity with the gateway’s look and feel, and its use by Reddit employees.
The targeting of victims was limited to users with specific desired access – Given the knowledge about the intranet, it’s reasonable to believe that the attacker(s) targeted users with specific roles within Reddit. From the use of the term “code,” I’m going to assume the target was developers or someone on the product side of Reddit.
The attacker may have been an initial access broker – Despite the access gained that Reddit is making out to be not a big deal, they do also mention that no production systems were accessed. This makes me believe that this attack may have been focused on gaining a foothold within Reddit versus penetrating more sensitive systems and data.

There are also a few takeaways from this attack that you can learn from:

2FA is an important security measure – Despite the fact that the threat actor collected and (I’m guessing) passed the credentials and 2FA details onto the legitimate Intranet gateway—a classic man-in-the middle attack—it’s far better to have MFA in place than to have no additional authentication factors in place.
Employees play a role in organizational cybersecurity – Reddit mentions that “soon after being phished, the affected employee self-reported, and the security team responded quickly, removing the infiltrator’s access and commencing an internal investigation.”

Users that are aware of how important they are in keeping the organization secure – something taught through continual security awareness training – can truly make the difference. With so many attacks involving threat actors lying undetected for literally months, it’s refreshing to hear about an attack where the threat actor was cut off quickly by the swift thinking of a user who knew exactly what to do once they realized they had been tricked.

Blog post with links:

[HEADS UP] Russian Hacker Group Launches New Spear Phishing Campaign with Targets in U.S. and Europe

The Russian-based hacking group Seaborgium is at it again with increased spear phishing attacks targeting U.S. and European countries in the last year.

Last month, I wrote about Seaborgium launching a phishing campaign with targets in the U.K. Now these threat actors have taken one step further with fake personas, social media accounts, and academic papers to lure their victims into replying to their phishing emails.

They have also widened their net to multiple regions across the globe with a new focus on the U.S. and additional regions within Europe. Each successful attack means the threat actor is able to refine their fake profiles to be more convincing and lure future victims.

Journalists are also becoming a target for multiple Russian hacking groups. Since journalists hold sensitive information, it could serve as high value to execute cyber espionage for the Russian state-sponsored groups.

While spear phishing campaigns continue to increase in sophistication, the root cause stems from social engineering. Whether it was specific language in the email or a convincing fake profile, threat actors are refining commonly used social engineering tactics to ensure your users fall victim to their attack.

Thankfully, there are ways to identify if your organization is being targeted. We have several tips for preventing a spear phishing attack from targeting your users:

First of all, you need all your defense-in-depth layers in place. Defending against attacks like this is a multi-layer approach. The trick is to make it as hard as possible for the attacker to get through and to not rely on any single security measure to keep your organization safe.
Regularly scan the Internet for exposed email addresses and/or credentials, you would not be the first one to find one of your user’s username and password on a crime or porn site. Try out the free email exposure check. See link below.
Never send out sensitive personal information via email. Be wary if you get an email asking you for this info and when in doubt, double-check with the source using another communication channel.
Enlighten your users about the dangers of oversharing their personal information on social media sites. The more cybercriminals know, the more convincing they can be when crafting spear phishing emails.

Users are your last line of defense. They need to be trained using new-school security awareness training and receive frequent simulated phishing tests to keep them on their toes with security top of mind. We provide the world’ s largest content library of security awareness training combined with best in class phishing testing. Since 91% of successful attacks use spear phishing to get in, this will get you by far the highest ROI for your security budget, with visible proof the training works!

Blog post with links:

Security News

Cybercriminals Are Using Geotargeted Phishing to Target Victims

Attackers are abusing a legitimate service called “GeoTargetly” to launch localized phishing attacks, according to Jeremy Fuchs at Avanan. GeoTargetly is meant to be used by advertisers to display ads in countries’ local languages. Avanan observed a phishing campaign that’s using phishing emails to target multiple countries in South America.

“The original email is essentially about a local traffic ordinance–which may not be enough to get people to click,” Fuchs explains. “However, the email itself is not what’s interesting–what is interesting is the ability for hackers to customize their attacks by region, and to attack multiple users in multiple parts of the world at once.”

Fuchs notes that the emails themselves are untargeted, and the attackers simply send out so many emails that some people are bound to fall for them.

“Spray-and-pray is a common technique of threat actors,” Fuchs says. “The idea–throw a bunch of things at the wall and see what sticks. The name of the game is volume, and you’re hoping for a few successful phishes here and there.” In this case, however, the threat actors are using a new technique to make these campaigns somewhat more precise.

“[This attack] is a different kind of spray-and-pray,” Fuchs writes. “It allows for the ability for hackers to target a large number of people at once, and ensure that it’s relevant, and localized. It’s spraying without the praying.

“Using the GeoTargetly redirect, a hacker can create a phishing link that redirects users in a certain region to a fake login page that looks identical to the original one. This personalization increases the chances of a user falling for the attack. The redirect is legitimate and the content would be relevant to their language and region. This has increased the likelihood of spray and pray are working, and would allow hackers to operate on a global nature seamlessly.”

New-school security awareness training can give your employees a healthy sense of suspicion so they can avoid falling for social engineering attacks.

Blog post with links:

U.K. Security Pros: ‘Employees Are the Attack Surface’

A survey by Tanium has found that IT security professionals in the U.K. say that 64% of avoidable cyberattacks are due to human error, which usually involves falling for phishing attacks. More than half of the respondents said that loss of productivity would be their main concern following a cyberattack.

“The largest number of survey respondents (56 percent) speculate that ‘loss of productivity’ would have the biggest post-breach impact, followed by ‘loss of clients and/or revenue’ (52 percent),” the researchers say. “However, it’s worth noting that these two answers have a mutual association – downtime.

“Following two years of pandemic disruption, organisations are naturally sensitive to anything that interferes with business as usual.” The survey also found that the majority of respondents believe that spending money on security defenses is cheaper than sustaining a cyberattack.

“Forward-thinking organisations will already be acting to pay down the technical debt of their legacy systems,” the researchers write. “85% of security pros in our survey admit that ‘it costs more to recover from a cybersecurity incident than to prevent one.'”

Tanium concludes that organizations should invest in a defense-in-depth strategy that includes employee training.

“These statistics highlight that there is ample scope for cyber teams to make improvements in many areas that are under their influence and control,” the researchers write. “As an illustration, almost half of the organisations surveyed (43 percent) said they intend to invest more in ‘employee awareness training.’

“This prevention-first approach is one way to reduce vulnerabilities that are often caused by human error or lack of education on cyber matters.”

New-school security awareness training can give your organization an essential layer of defense by teaching your employees to recognize and thwart social engineering attacks.

CIO has the story:

