Late last week, executives at Seagate informed employees that their tax information had been compromised as the result of a targeted phishing attack on an unlucky employee. The employee believed the information had been requested by Seagate CEO Stephen Luczo, and turned over all of 2015’s W-2 data for former and current employees.
According to Seagate’s Eric DeRitis:
On March 1, Seagate Technology learned that the 2015 W-2 tax form information for current and former US-based employees was sent to an unauthorized third party in response to the phishing e-mail scam. The information was sent by an employee who believed the phishing e-mail was a legitimate internal company request
Phishing is a simple social engineering hack that tricks an employee into downloading malware, or in this case providing access to sensitive data. Hackers use spoofed email addresses and often identical (or near identical) design elements to trick employees into believing the sender is legitimate. Once this baseline trust is established, the employee then unknowingly downloads and installs malware that provides a backdoor into secure IT infrastructure.
Or, in this case, they hacker simply asks for the information.
In this case, the hacker simply asked for the the information — and it worked.
In the first quarter of 2015, popular antivirus software developer Kaspersky reported that its built-in anti-phishing system reported over 50 million phishing attempts. As large as that number is, remember, Kaspersky is only one of many antivirus options.
Last week, a nearly identical attack took place on a Snapchat employee. Much like the Seagate attack, hackers simply had to ask for the information. And it appears that this attack was much less sophisticated, the information believed to be requested by Snapchat CEO Evan Spiegel came from an external email address.
While we continue to fear sophisticated hackers capable of wreaking real havoc on corporations, infrastructure and government organizations, it’s the so-called ‘script kiddies’ that are making waves through use of open source ransomware, social engineering hacks and targeted phishing campaigns on huge companies.
To put this into perspective, corporations spent a combined $75.4 billion on IT security in 2015 to counter the hacking elite, only to be thwarted by a free email account and a cell phone.
In 2016, even hacking is becoming commoditized.