On Sunday night, the popular social platform Reddit was the victim of a cyberattack that granted hackers access to its internal business systems and provided them the chance to obtain sensitive data and source code. The company claims that the hackers used its intranet site as a ruse to lure Reddit employees into a phishing trap. This website attempted to steal the login credentials for employees and the two-factor authentication tokens.
After one employee was a victim of the phishing scam, the threat actor was able to access internal Reddit systems and steal data and source code. According to Reddit’s security incident report, “after successfully gaining a single employee’s credentials, the attacker obtained access to several internal documents, code, as well as some internal dashboards and business systems.”
Hackers Take Internal Documents And Source Code.
We have no evidence that our primary production systems, which power Reddit and house the majority of our data, have been compromised. According to Reddit, the company’s security team was notified of the breach after the employee self-reported the occurrence.
After investigating the situation, Reddit claims the incident recorded stolen data, some internal docs, and source code. Also, internal dashboards and business systems, both present and previous. The data also included information about the company’s advertisers, but credit card details, passwords, or ad performance were not accessible.
Additionally, Reddit says there are no signs that threat actors breached the website’s production systems. Reddit mentioned a similar method that was used to compromise Riot Games, even though they haven’t provided any information about the phishing assault.
Threat actors broke into Riot Games during that attack and grabbed the source code for the Teamfight Tactics (TFT) auto-battle game, a heritage anti-cheat platform, and the League of Legends (LoL) multiplayer online combat arena.
Later, a $10 million ransom demand for the data not to be revealed was made to the game company, which was rejected. Later, the hacker tried selling League of Legends’ source code for $10 million on a hacker forum.
Defending Yourself Against Phishing Scams
More and more sophisticated phishing schemes are being created, so it’s essential to be informed about how to avoid falling victim to these online assaults. Listed here are seven easy ways to spot and avoid phishing schemes.
1. Recognize the signs of being phished.
Even while new phishing attack strategies are constantly being created, there are some consistent tells that might help you spot them. You can find a lot of information on the current phishing scams and how to spot them on the internet. Your organization has a better chance of thwarting an attack if you regularly train your users on the newest security best practices and inform them of emerging threats.
2. Don’t go to that website
Even if you know the source of an email or instant message, it’s best to exercise caution before clicking on a link in the message. Doing little more than hovering over the link to verify its target is a good start. Some phishing attacks are pretty complex, with a destination URL that looks identical to the real one but is actually set up to steal login credentials or financial data. In some cases, you may find it more efficient to use your preferred search engine to reach the destination page directly.
3. Get free anti-phishing plugins
These days, most browsers let you install add-ons that can identify fraudulent websites and warn you when you visit a known phishing site. Since they are frequently costless, there’s no excuse for not having them on your company’s computers.
4. Never provide personal information on an unprotected website.
Do not enter personal information or download files from a website if the address bar does not begin with “https” or if the padlock icon does not appear to be closed next to the address bar. Even though sites lacking security certifications might not be malicious, it’s best to remain cautious just in case.
5. Regularly changing your passwords is step number five.
Changing your passwords on your online accounts on a regular basis will help keep an attacker from having unrestricted access to your data. If you suspect that your accounts have been compromised, changing your passwords regularly is a simple yet effective way to thwart further intrusion attempts and keep out would-be hackers.
6. Keep an eye out for new information
It’s easy to grow annoyed by the constant stream of update notifications and start ignoring them. Avoid doing that. The primary goal of releasing security patches and updates is to close security loopholes that hackers have exploited in the modern day. It’s important to keep your browser up-to-date to protect yourself from phishing attacks and other threats that could have been prevented with a bit of maintenance.
7. Resist the urge to click on those intrusive ads
As part of a phishing effort, pop-ups aren’t only annoying; they can also spread malware. Ad-blocking software is available for free download and installation on most modern browsers and can effectively eliminate potentially dangerous pop-ups. Even if an ad gets past your ad blocker, you shouldn’t be persuaded to click on it. The “Close” button may be hidden in some pop-ups; if you can’t find it, try the “x” in one of the corners.
Conclusion
The social news website Reddit was hacked on Sunday night, allowing criminals access to its internal business infrastructure. and gave them the ability to steal confidential information and source code. The company asserts that the hackers tricked Reddit employees into falling into a phishing trap via its intranet portal. The two-factor authentication tokens and employee login information were both attempted to be stolen by this website. The threat actor was able to get access to internal Reddit systems and collect data and source code, where one employee fell for the phishing scam.
“Phishing is without a doubt the most active cybersecurity threat today. According to various industry reports, anywhere from 60-90% of all cyberattacks begin with a phishing email. In this case, an employee was targeted with a phishing email and then directed to a fake domain where they then entered their Reddit user credentials and MFA.
Instances like this happen all the time, and with the use of tools like chatGPT, phishing emails are becoming increasingly sophisticated, making it even more challenging for individuals and organisations to detect and defend against them.
The reason they are so effective is because people can’t cope with those skilled and morphing attacks. The only real way to counter this threat is by removing the knowledge of credentials from employees. To achieve this, one of the best solutions is to treat credentials like the most sensitive data and encrypt them. Using encrypted passwords, employees do not know them, which prevents them being stolen, sold or phished, and also gives organisations back control of their network access and data.
Furthermore, because people don’t need to know any passwords, organisations can segment their network access by using a different encrypted password for each system. This also means criminals can’t travel across networks, which prevents lateral movement, privilege escalation, whole network takeover and puts an end to ransomware.”
“Threat actors have once again been able to hack company information by simply using a clever phishing email and website to lure an employee into divulging sensitive credentials. It emphasises the sheer importance of making employees wholly aware of the persistent attempts from criminal groups and the potential outcome when data is accessed. Even with two factor authentication in place with the use of security keys or authenticator apps, criminal hackers are on hand to attack in the given short time frame of opportunity when the chance arises. Not only is staff training key in mitigating the problem, it is also an essential reminder to only give access to important files to those who absolutely need them.”
“Another day, another cyber-attack caused by a common attack vector: a phishing campaign targeted at employees. Cybercriminals are continuing to have great success with this method of breaching corporate networks – and organisations are now playing catch-up to protect against these threats.
To ensure preparedness, businesses need to ensure they have real-time anti-phishing integrated into any security solutions that they install on employee endpoint devices. Hackers make money from successful phishing attacks and are therefore constantly changing their techniques and tactics to ensure the highest rate of return. Powerful threat intelligence technology that uses machine learning to identify the latest threats can help massively when it comes to protecting against these ever-evolving scams.
It’s also crucial to ensure staff are properly trained to identify threats. There’s no use investing in sophisticated cybersecurity software and services if employees continue to click on dangerous phishing links that slip through the net, in turn granting cybercriminals access to the business network. It’s like turning on a fancy home security alarm, but leaving a window open – you’ll be left playing catch-up after the bad guys get in. Cybersecurity training providers are now working continuously to adjust the content in their courses and simulations to reflect the latest threat landscape – and businesses need to ensure they’re rolling out a comprehensive and consistent education programme as well as the latest anti-phishing technology. Only then will they be able to truly improve employee vigilance and stand the best chance of defending the network.”