On March 7th, we reported on a warning issued by the IRS alerting HR and payroll processing departments to be on the lookout for phishing attempts targeting W-2 information. At the time our research identified twelve companies that had fallen for the scam. Now, just one week later, we can report on another twelve organizations that join the ranks of those impacted.
The list now includes:
|Who||How Many Impacted||Date Occurred||Date Reported|
|Hudson City School District||Not Disclosed||January 21, 2016||January 24, 2016|
|RightSide Group||Not Disclosed||Not Disclosed||February 25, 2016|
|DataXu*||Not Disclosed||February 18, 2016||March 3, 2016|
|York Hospital*||At least 1,211||February 22, 2016||February 25, 2016|
|General Communication Inc||Not Disclosed||February 24, 2016||March 4, 2016|
|Information Innovators Inc||Not Disclosed||February 26, 2016||March 3, 2016|
|Mansueto Ventures||Not Disclosed||February 26, 2016||March 4, 2016|
|Affinion Group||Not Disclosed||Not Disclosed||March 8, 2016|
|Seagate Technology||Not Disclosed||March 1, 2016||March 7, 2016|
|Turner Construction Company*||Not Disclosed||March 2, 2016||March 7, 2016|
|Endologix Inc||Not Disclosed||March 3, 2016||March 9, 2016|
|SevOne||Not Disclosed||March 7, 2016||March 9, 2016|
*Suspected due to the nature of the data taken and description of events, but not confirmed as spear-phishing.
At this time there is no public confirmation these attacks were perpetrated by the same actor(s) but one tantalizing detail has come to light suggesting a similar strategy was used. Local reporting on the Hudson City School District attack noted, “the scammer who sent the email used [District Superintendent Maria] Suttmeier’s photograph, email address and title” in the phishing email. Likewise, Information Innovators Inc. (aka Triple-i) disclosed in a statutory disclosure letter that “the criminal also adjusted the display name so that the Triple-I employee’s name and picture was in the “TO” field in the response.” We know from the IRS warning and several of the disclosures, the phishing mails sent in these attacks used a technique known as spoofing, whereby the sender’s real email address is masked and a known individual’s email address appears in its place. Spoofing is a well-known technique, but in at least two of the reported incidents, the person(s) behind the attacks took the time to include relevant photos that would further the illusion of a trusted communication. That appears to demonstrate a level of planning above and beyond a typical spoofed spear-phishing attack.
These most recent attacks highlight the central role trust plays in security and how the culture of information sharing is being leveraged for data theft. Some organizations choose publish staff photos and contact information in order to show there are real people standing behind their product or service. As these attacks show, that very same information is being used by against organizations for the very same purpose of creating what appears to be a trusted communication. Teams tasked with employee awareness training should focus attention on how public information - whether it’s made available by the organization itself or culled from social networking sites like LinkedIn - is being used in targeted scams.
Only 10 weeks into 2016 and our research shows there have already been over 535 data breaches disclosed and more than 175 million records compromised. 2015 was a record breaking year with more than 4,027 incidents reported. If the current pace of breach activity continues, 2016 may turn out to be just as extraordinary as 2015 and for all the wrong reasons.