<div dir="ltr"><a href="https://www.riskbasedsecurity.com/2016/03/hr-departments-part-2-still-out-phishing/">https://www.riskbasedsecurity.com/2016/03/hr-departments-part-2-still-out-phishing/</a><br><br><span style="font-weight:400">On March 7</span><span style="font-weight:400">th</span><span style="font-weight:400">,</span><a href="https://www.riskbasedsecurity.com/2016/03/hr-departments-gone-phishing/" target="_blank"> <span style="font-weight:400">we reported</span></a><span style="font-weight:400">
 on a warning issued by the IRS alerting HR and payroll processing 
departments to be on the lookout for phishing attempts targeting W-2 
information. At the time our research identified twelve companies that 
had fallen for the scam. Now, just one week later, we can report on 
another twelve organizations that join the ranks of those impacted.  The
 list now includes:</span>
<table border="0">
<tbody>
<tr style="outline:thin solid">
<td><span style="font-weight:400">Who</span></td>
<td><span style="font-weight:400">How Many Impacted</span></td>
<td><span style="font-weight:400">Date Occurred</span></td>
<td><span style="font-weight:400">Date Reported</span></td>
</tr>
<tr>
<td><a href="http://www.hudsoncityschooldistrict.com/" target="_blank"><span style="font-weight:400">Hudson City School District</span></a></td>
<td><span style="font-weight:400">Not Disclosed</span></td>
<td><span style="font-weight:400">January 21, 2016</span></td>
<td><span style="font-weight:400">January 24, 2016</span></td>
</tr>
<tr>
<td><a href="http://www.rightside.co/" target="_blank"><span style="font-weight:400">RightSide Group</span></a></td>
<td><span style="font-weight:400">Not Disclosed</span></td>
<td><span style="font-weight:400">Not Disclosed</span></td>
<td><span style="font-weight:400">February 25, 2016</span></td>
</tr>
<tr>
<td><a href="https://www.dataxu.com/" target="_blank"><span style="font-weight:400">DataXu*</span></a></td>
<td><span style="font-weight:400">Not Disclosed</span></td>
<td><span style="font-weight:400">February 18, 2016</span></td>
<td><span style="font-weight:400">March 3, 2016</span></td>
</tr>
<tr>
<td><a href="http://www.yorkhospital.com/" target="_blank"><span style="font-weight:400">York Hospital*</span></a></td>
<td><span style="font-weight:400">At least 1,211</span></td>
<td><span style="font-weight:400">February 22, 2016</span></td>
<td><span style="font-weight:400">February 25, 2016</span></td>
</tr>
<tr>
<td><a href="https://www.gci.com/" target="_blank"><span style="font-weight:400">General Communication Inc</span></a></td>
<td><span style="font-weight:400">Not Disclosed</span></td>
<td><span style="font-weight:400">February 24, 2016</span></td>
<td><span style="font-weight:400">March 4, 2016</span></td>
</tr>
<tr>
<td><a href="https://www.iiinfo.com/" target="_blank"><span style="font-weight:400">Information Innovators Inc</span></a></td>
<td><span style="font-weight:400">Not Disclosed</span></td>
<td><span style="font-weight:400">February 26, 2016</span></td>
<td><span style="font-weight:400">March 3, 2016</span></td>
</tr>
<tr>
<td><a href="http://www.mansueto.com/" target="_blank"><span style="font-weight:400">Mansueto Ventures</span></a></td>
<td><span style="font-weight:400">Not Disclosed</span></td>
<td><span style="font-weight:400">February 26, 2016</span></td>
<td><span style="font-weight:400">March 4, 2016</span></td>
</tr>
<tr>
<td><a href="http://www.affinion.com/" target="_blank"><span style="font-weight:400">Affinion Group</span></a></td>
<td><span style="font-weight:400">Not Disclosed</span></td>
<td><span style="font-weight:400">Not Disclosed</span></td>
<td><span style="font-weight:400">March 8, 2016</span></td>
</tr>
<tr>
<td><a href="http://www.seagate.com/" target="_blank"><span style="font-weight:400">Seagate Technology</span></a></td>
<td><span style="font-weight:400">Not Disclosed</span></td>
<td><span style="font-weight:400">March 1, 2016</span></td>
<td><span style="font-weight:400">March 7, 2016</span></td>
</tr>
<tr>
<td><a href="http://www.turnerconstruction.com/" target="_blank"><span style="font-weight:400">Turner Construction Company*</span></a></td>
<td><span style="font-weight:400">Not Disclosed</span></td>
<td><span style="font-weight:400">March 2, 2016</span></td>
<td><span style="font-weight:400">March 7, 2016</span></td>
</tr>
<tr>
<td><a href="http://www.endologix.com/" target="_blank"><span style="font-weight:400">Endologix Inc</span></a></td>
<td><span style="font-weight:400">Not Disclosed</span></td>
<td><span style="font-weight:400">March 3, 2016</span></td>
<td><span style="font-weight:400">March 9, 2016</span></td>
</tr>
<tr>
<td><a href="https://www.sevone.com/" target="_blank"><span style="font-weight:400">SevOne</span></a></td>
<td><span style="font-weight:400">Not Disclosed</span></td>
<td><span style="font-weight:400">March 7, 2016</span></td>
<td><span style="font-weight:400">March 9, 2016</span></td>
</tr>
</tbody>
</table>
<p><span style="font-weight:400">*Suspected due to the nature of the data taken and description of events, but not confirmed as spear-phishing.</span></p>
<p><span style="font-weight:400">At this time there is no public 
confirmation these attacks were perpetrated by the same actor(s) but one
 tantalizing detail has come to light suggesting a similar strategy was 
used.</span><a href="http://www.registerstar.com/news/article_3a62bbbc-d1ff-11e5-a857-ebad3df66d41.html" target="_blank"> <span style="font-weight:400">Local reporting on the Hudson City School District attack</span></a><span style="font-weight:400">
 noted, “the scammer who sent the email used [District Superintendent 
Maria] Suttmeier’s photograph, email address and title” in the phishing 
email. Likewise, Information Innovators Inc. (aka Triple-i) disclosed in
 a statutory disclosure letter that “the criminal also adjusted the 
display name so that the Triple-I employee’s name and picture was in the
 “TO” field in the response.” We know from the IRS warning and several 
of the disclosures, the phishing mails sent in these attacks used a 
technique known as</span><a href="https://en.wikipedia.org/wiki/Email_spoofing" target="_blank"> <span style="font-weight:400">spoofing</span></a><span style="font-weight:400">,
 whereby the sender’s real email address is masked and a known 
individual’s email address appears in its place. Spoofing is a 
well-known technique, but in at least two of the reported incidents, the
 person(s) behind the attacks took the time to include relevant photos 
that would further the illusion of a trusted communication. That appears
 to demonstrate a level of planning above and beyond a typical spoofed 
spear-phishing attack.</span></p>
<p><span style="font-weight:400">These most recent attacks highlight 
the central role trust plays in security and how the culture of 
information sharing is being leveraged for data theft. Some 
organizations choose publish staff photos and contact information in 
order to show there are real people standing behind their product or 
service. As these attacks show, that very same information is being used
 by against organizations for the very same purpose of creating what 
appears to be a trusted communication. Teams tasked with employee 
awareness training should focus attention on how public information – 
whether it’s made available by the organization itself or culled from 
social networking sites like LinkedIn – is being used in targeted scams.</span></p>
<p><span style="font-weight:400">Only 10 weeks into 2016 and our research shows there have <a href="https://cyberriskanalytics.com" target="_blank">already been over 535 data breaches disclosed and more than 175 million records compromised</a>. <a href="http://www.riskbasedsecurity.com/data-breach-quickview-report-2015-data-breach-trends/" target="_blank">2015 was a record breaking year</a>
 with more than 4,027 incidents reported. If the current pace of breach 
activity continues, 2016 may turn out to be just as extraordinary as 
2015 and for all the wrong reasons.</span></p><br></div>