Last Friday, the popular social news and discussion platform, Reddit revealed that they were a victim of a phishing attack, and had their systems breached. Reddit confirms that hackers had gained access to its internal dashboards and business systems.
They claim that no user passwords or accounts were accessed, but is urging users to set up their 2FA to secure their accounts. Investigations are still ongoing. Synopsys Software Integrity Group security experts weigh in on this incident. Their full comments are below.
Jamie Boote, Associate Principal Consultant
The real problem here is the same as it has ever been in other past incidents like this: People. This was a phishing attack meant to fool a person into letting the attacker in and it worked. Because a person was compromised, their credentials were used to gather information that could be used to further exploit other people in Reddit employment.
This information included employee contact data and some advertising data which could be used to launch additional phishing attacks against Reddit and its advertising partners.
The good news is that the breach appeared to be limited to office systems and didn’t breach the production systems that host the website itself, user data, or other data. This is likely because they limited access to the production data from non-IT employees in an attempt to compartmentalise operations that would limit the impact of a breach.
In today’s networking environments, software and hardware is no longer the least secure component of the system – people are. When designing information technology (IT) systems, applications, and devices, it should be assumed that a user will fall for a phishing scam, download the wrong application, or otherwise fail to act in a perfectly secure way.
By taking this into account, defence in depth can limit the impact of a breach. For example, if the user’s credentials are compromised, then identity and access management Identity and Access Management (IAM) controls can limit what data those credentials will unlock.
If a user’s computer is compromised, network segmentation and intrusion detection systems can limit how far that system can be used to further compromise the network. If a user doesn’t need access to important data, remove that access. If one assumes that people will eventually be fooled, they will never be disappointed.
Boris Cipot, Senior Security Engineer
If you think this cannot happen to you, think again. Phishing attempts are happening every day. Scamming people into giving up their private data is happening in different forms. We have seen the most used one as emails, we have seen messaging scams in forms from SMS and WhatsApp messages and now, even Instagram and Facebook postings.
Every popular form of communication is abused. The keyword is popular as this is also where these scams can reach the most targets. There are also targeted attacks as one could imagine to be the case at Reddit. Targeted phishing emails are not just a theme in Hollywood blockbusters but a real-life thing happening to private and business users.
To recognise a phishing attack in the past, it was possible to look for many signs. Sloppy texts and graphics, no referral by name but general “Dear Mr. or Mrs.” and so on. Today however, those communications are becoming a lot better, like copying graphic elements from the official company communications and having the same texts. What changed are the links that leads us to malicious servers and attachments – a sophisticated malware.
The best way to avoid scams like these is to be careful about what you receive. Do not open attachments. If you doubt the source, do not take the requested action in the message. Do not click on the link to track your package. Rather, open the browser, enter the parcel company, or bank URL manually. Also think about this – a bank or any serous company will never ask you about your private information of any kind in an email.
If you are in doubt, pick up the phone, call them, and ask if it is really them sending the message. Do not use the contact data in the email for this as it can also be a false one.
As you see, the problem is real. Many people get scammed, and this is not shameful. It is a moment of distraction, and you did something that you should not. Many people lost their lifelong savings because of this, and for many companies – their reputation.
For companies, the advice is to rethink their security posture. Are you checking emails, the links and attachments in those? Are you educating your employees on the tricks? It is important to make sure the protection against phishing and other scamming techniques are in place. Do not forget social engineering too, as it often is a part of the main attack vector.
As for 2FA, many say that SMS is not meant to be used for security. In addition, this is true, and many services already depend on authenticator apps from Google or Microsoft or even have their own to provide the necessary additional security. However, a SMS verification is still better than a pure username and password combination.