Reddit has been the victim of a security incident. The protection measures of the platform, which is valued at about 10,000 million dollars, have not been completely effective in avoiding a ataque de phishing, and now regrets the consequences. Unauthorized access to your internal system, theft of documents, code and business data.
Seeing the news from that perspective, and without adding contextual information, we could be shocked. But the truth is that companies are increasingly exposed to the actions of cybercriminals, and employees tend to be the ‘Achilles heel’ of security departments, even those of companies with million-dollar budgets.
Phishing beyond Reddit
The Reddit attackers used the techniques used in most phishing attacks, only specifically targeted to the portal to increase its effectiveness rate. Specifically, according to the official version of the company, some employees received a false email but with “plausible indications” to take them to the intranet.
We don’t know the content of the message, but malicious actors often resort to bogus requests from bosses or superiors, which generally need to be done as soon as possible. In any case, one of the employees took the bait (understood in relation to the figurative name of phishing) and ended up giving away her access credentials.
The link in the email did not send to a legitimate destination, but to a page that cloned the behavior of the system used on Reddit’s internal computer network. Without realizing that he was being deceivedhe entered his username, password and two-step verification (2FA) code, which were received by the attackers.
With the credentials in their possession, the people behind this illegal movement against the platform entered their systems and accessed information for internal use, such as documents, codes, and commercial and staff information. In the case of the latter, “limited” contact details of current and former advertisers and employees were exposed.
The company’s security department had not noticed anything strange.
The company’s security department had not noticed anything strange, precisely because this type of attack has that purpose. However, the employee was the in charge of notifying that it had been the victim of an attack, allowing measures to be taken to mitigate the scope of the attack, such as revoking the credentials that had been stolen.
Reddit ensures that the passwords and accounts of its users have not been affected. However, he recommends those using the platform to adopt two-factor authentication, change their passwords about every two months, and use password managers (although the latter aren’t perfect either: ‘Hello LastPass’).
But, as we said above, it is a good opportunity to put this attack in context. Last week the victim was one of the Reddit employees, but soon could have been anyone else, one of us. Security firm Tessian claims that employees receive an average of 14 phishing emails each year.
Certainly not all of them are targeted attacks, and many will not ultimately succeed. However, the techniques have been perfected, and everything seems to indicate that they will continue to do so. The answer behind it is simple: effective attacks, money in the pockets of the attackers. In the United States, according to IBM, phishing caused companies to lose 4.91 million dollars in 2022.
The basic cybersecurity rules that almost all of us know invite us to pay attention to the mail sender to identify if it is suspicious. Also, check if in the address bar we see HTTPS, which stands for a secure connection, and the URL. Now, this is no longer effective because of the new methods that are coming into play.
The inception bar: a new phishing methodhttps://t.co/FQtrn8aUI7 pic.twitter.com/omWrPjyS4Y
— Adrien (@adrien_jeanneau) April 29, 2019
Some attackers use stolen email accounts, so the origin of the message may seem completely legitimate. And as if that weren’t enough, landing pages also often include secure connections and are capable of displaying legitimate-looking URLs using HTML and CSS tricks, according to researcher James Fisher.
Leaving the corporate field, it is necessary to point out that phishing and its variants are also a threat to any type of user. Vishing, which is based on the mechanics of phishing but via telephone call, is behind the famous scam of the double call that the OCU and the Civil Guard have alerted. In conclusion, we have to be more vigilant than ever to avoid taking the bait.
Images: Reddit | Clint Patterson | Genbeta
In Xataka: Phishing messages posing as CaixaBank: this is the new attempt to steal data via SMS
Leave a Reply