By impersonating the CEO of Snapchat in a phishing attack, hackers have revealed sensitive payroll information about a number of Snapchat employees. According to a Snapchat blog post, “the phishing email wasn’t recognized for what it was–a scam–and payroll information about some current and former employees was disclosed externally.” Security experts from Digital Guardian, Barracuda Networks, Lieberman Software, Tripwire and Proofpoint have the following comments on it.
[su_note note_color=”#ffffcc” text_color=”#00000″]Kevin Epstein, VP of Threat Operations at Proofpoint :
“Snapchat’s phishing attack should serve as yet another reminder to organizations and employees that people remain the weakest link in security. Phishing attacks have become so sophisticated that they entice even the most-senior executives to click on a link in email or reply with requested sensitive information, without verbally confirming confidential information directives before sending. Our recent Human Factor cybercrime report documented that cybercriminals have found it more successful to prey on human behavior rather than utilize sophisticated technical exploits. People are being used as a key part of criminal attacks; any defense must assume natural human behavior will occur, and compensate accordingly.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Tim Erlin, Director of Security and Product Management at Tripwire:
“Criminals continue to use phishing because it works.
While training employees can definitely help, phishing tactics evolve continuously to beat the training.
Without knowing what data was compromised, it’s difficult to assess how it will be used. Given the targeted nature of the attack, there should be little doubt that the attackers have a plan to monetize the data they accessed.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Jonathan Sander, VP of Product Strategy at Lieberman Software:
“The unfortunate truth is that a phishing email helping a bad guy grab sensitive data is an everyday occurrence and we’re only seeing so many headlines about it because of the name Snapchat being connected. If this was a trucking company in western Pennsylvania we wouldn’t even know it happened. The damage to the employees would be every bit as real, though.
The fact that Snapchat got snagged with this shows that being young, cool, and high tech doesn’t protect you from being a phishing target. Bad guys are getting so good at phishing that they aren’t just fooling that older relative who calls a grandchild every time they need to print something. Even people born into the Internet, apps, and the cloud are clicking on bad links. That’s very good news for attackers in case they were worried that millennials would put them out of the phishing business with their tech savvyness.[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Luke Brown, VP and GM EMEA, India and Latam at Digital Guardian:
“For hackers, it’s often the simplest method of attack that becomes the most successful. By impersonating a high-profile figure in the company, attackers have bypassed any security measures Snapchat had in place, and gained access to sensitive payroll information of a number of employees.
“For organisations affected by phishing attacks, raising user awareness is the most effective way to lower the risk of any further breaches, and it’s not just up to the IT department. It is the responsibility of every business leader from the CEO to the HR and legal department to train employees, teaching them to look out for suspicious emails and understand the importance of data protection.
“For more advanced attacks, by deploying prompts that warn users when a program attempts to download a file from the Internet or write a file to disk, organisations can prevent such activities from happening in the background without users being aware. This will also train users to recognise and report attacks in progress.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Wieland Alge, VP & GM EMEA at Barracuda Networks:
“In today’s digital age, data breaches that result from targeted email phishing have become increasingly common. Typically, these messages appear to come from a trustworthy source, so initially those that have been the target of an attack don’t even realise they’ve fallen victim. Some of the most successful phishing attacks are those that successfully impersonate a person, particularly if that person is well-known to the recipient. While the Snapchat payroll team probably don’t have a daily correspondence with Snapchat’s CEO, they clearly know who and how important he is – hence why they fell for the scam.
“In this case, the hackers took advantage of one of the easiest channels for business phishing attacks – HR departments. HR and payroll are flooded with emails containing all types of attachments and they are encouraged and even obliged to open them. IT security teams must implement countermeasures against targeted attacks against this channel. At the end of the day, all businesses have a duty of care to ensure that they have robust security systems in place to protect their own and their customers’ data. If they fail to do so, they are rolling the dice when it comes to their reputation and ultimately, their long-term survival.”[/su_note]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.