[BreachExchange] HR Departments Part 2: Still Out Phishing?

Inga Goddijn inga at riskbasedsecurity.com
Thu Mar 17 15:53:59 EDT 2016


https://www.riskbasedsecurity.com/2016/03/hr-departments-part-2-still-out-phishing/

On March 7th, we reported
<https://www.riskbasedsecurity.com/2016/03/hr-departments-gone-phishing/>
on a warning issued by the IRS alerting HR and payroll processing
departments to be on the lookout for phishing attempts targeting W-2
information. At the time our research identified twelve companies that had
fallen for the scam. Now, just one week later, we can report on another
twelve organizations that join the ranks of those impacted.  The list now
includes:
Who How Many Impacted Date Occurred Date Reported
Hudson City School District <http://www.hudsoncityschooldistrict.com/> Not
Disclosed January 21, 2016 January 24, 2016
RightSide Group <http://www.rightside.co/> Not Disclosed Not Disclosed February
25, 2016
DataXu* <https://www.dataxu.com/> Not Disclosed February 18, 2016 March 3,
2016
York Hospital* <http://www.yorkhospital.com/> At least 1,211 February 22,
2016 February 25, 2016
General Communication Inc <https://www.gci.com/> Not Disclosed February 24,
2016 March 4, 2016
Information Innovators Inc <https://www.iiinfo.com/> Not Disclosed February
26, 2016 March 3, 2016
Mansueto Ventures <http://www.mansueto.com/> Not Disclosed February
26, 2016 March
4, 2016
Affinion Group <http://www.affinion.com/> Not Disclosed Not Disclosed March
8, 2016
Seagate Technology <http://www.seagate.com/> Not Disclosed March 1, 2016 March
7, 2016
Turner Construction Company* <http://www.turnerconstruction.com/> Not
Disclosed March 2, 2016 March 7, 2016
Endologix Inc <http://www.endologix.com/> Not Disclosed March 3, 2016 March
9, 2016
SevOne <https://www.sevone.com/> Not Disclosed March 7, 2016 March 9, 2016

*Suspected due to the nature of the data taken and description of events,
but not confirmed as spear-phishing.

At this time there is no public confirmation these attacks were perpetrated
by the same actor(s) but one tantalizing detail has come to light
suggesting a similar strategy was used. Local reporting on the Hudson City
School District attack
<http://www.registerstar.com/news/article_3a62bbbc-d1ff-11e5-a857-ebad3df66d41.html>
noted, “the scammer who sent the email used [District Superintendent Maria]
Suttmeier’s photograph, email address and title” in the phishing email.
Likewise, Information Innovators Inc. (aka Triple-i) disclosed in a
statutory disclosure letter that “the criminal also adjusted the display
name so that the Triple-I employee’s name and picture was in the “TO” field
in the response.” We know from the IRS warning and several of the
disclosures, the phishing mails sent in these attacks used a technique
known as spoofing <https://en.wikipedia.org/wiki/Email_spoofing>, whereby
the sender’s real email address is masked and a known individual’s email
address appears in its place. Spoofing is a well-known technique, but in at
least two of the reported incidents, the person(s) behind the attacks took
the time to include relevant photos that would further the illusion of a
trusted communication. That appears to demonstrate a level of planning
above and beyond a typical spoofed spear-phishing attack.

These most recent attacks highlight the central role trust plays in
security and how the culture of information sharing is being leveraged for
data theft. Some organizations choose publish staff photos and contact
information in order to show there are real people standing behind their
product or service. As these attacks show, that very same information is
being used by against organizations for the very same purpose of creating
what appears to be a trusted communication. Teams tasked with employee
awareness training should focus attention on how public information –
whether it’s made available by the organization itself or culled from
social networking sites like LinkedIn – is being used in targeted scams.

Only 10 weeks into 2016 and our research shows there have already been over
535 data breaches disclosed and more than 175 million records compromised
<https://cyberriskanalytics.com>. 2015 was a record breaking year
<http://www.riskbasedsecurity.com/data-breach-quickview-report-2015-data-breach-trends/>
with more than 4,027 incidents reported. If the current pace of breach
activity continues, 2016 may turn out to be just as extraordinary as 2015
and for all the wrong reasons.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160317/6abfb14a/attachment-0001.html>


More information about the BreachExchange mailing list