HR Departments Part 2: Still Out Phishing?

March 17, 2016 By Risk Based Security

gonephishingOn March 7th, we reported on a warning issued by the IRS alerting HR and payroll processing departments to be on the lookout for phishing attempts targeting W-2 information. At the time our research identified twelve companies that had fallen for the scam. Now, just one week later, we can report on another twelve organizations that join the ranks of those impacted.

The list now includes:

Who How Many Impacted Date Occurred Date Reported
Hudson City School District Not Disclosed January 21, 2016 January 24, 2016
RightSide Group Not Disclosed Not Disclosed February 25, 2016
DataXu* Not Disclosed February 18, 2016 March 3, 2016
York Hospital* At least 1,211 February 22, 2016 February 25, 2016
General Communication Inc Not Disclosed February 24, 2016 March 4, 2016
Information Innovators Inc Not Disclosed February 26, 2016 March 3, 2016
Mansueto Ventures Not Disclosed February 26, 2016 March 4, 2016
Affinion Group Not Disclosed Not Disclosed March 8, 2016
Seagate Technology Not Disclosed March 1, 2016 March 7, 2016
Turner Construction Company* Not Disclosed March 2, 2016 March 7, 2016
Endologix Inc Not Disclosed March 3, 2016 March 9, 2016
SevOne Not Disclosed March 7, 2016 March 9, 2016

*Suspected due to the nature of the data taken and description of events, but not confirmed as spear-phishing.

At this time there is no public confirmation these attacks were perpetrated by the same actor(s) but one tantalizing detail has come to light suggesting a similar strategy was used. Local reporting on the Hudson City School District attack noted, “the scammer who sent the email used [District Superintendent Maria] Suttmeier’s photograph, email address and title” in the phishing email. Likewise, Information Innovators Inc. (aka Triple-i) disclosed in a statutory disclosure letter that “the criminal also adjusted the display name so that the Triple-I employee’s name and picture was in the “TO” field in the response.” We know from the IRS warning and several of the disclosures, the phishing mails sent in these attacks used a technique known as spoofing, whereby the sender’s real email address is masked and a known individual’s email address appears in its place. Spoofing is a well-known technique, but in at least two of the reported incidents, the person(s) behind the attacks took the time to include relevant photos that would further the illusion of a trusted communication. That appears to demonstrate a level of planning above and beyond a typical spoofed spear-phishing attack.

These most recent attacks highlight the central role trust plays in security and how the culture of information sharing is being leveraged for data theft. Some organizations choose publish staff photos and contact information in order to show there are real people standing behind their product or service. As these attacks show, that very same information is being used by against organizations for the very same purpose of creating what appears to be a trusted communication. Teams tasked with employee awareness training should focus attention on how public information - whether it’s made available by the organization itself or culled from social networking sites like LinkedIn - is being used in targeted scams.

Only 10 weeks into 2016 and our research shows there have already been over 535 data breaches disclosed and more than 175 million records compromised. 2015 was a record breaking year with more than 4,027 incidents reported. If the current pace of breach activity continues, 2016 may turn out to be just as extraordinary as 2015 and for all the wrong reasons.

Filed Under: Data Breaches, News

Subscribe to Email Updates