When the Syrian Electronic Army nailed a number of prominent media outlets earlier this year, we were pleased to see a number of open and honest responses from those that were breached, notably from The Onion and The Financial Times.
Last week, the SEA was at it again, successfully hacking content recommendation service Outbrain, an attack which provided a foothold to compromise media behemoths The Washington Post, Time, and CNN. The SEA attacked Outbrain with largely the same tactics it has used so successfully in the past few months, by eliciting log-in credentials through a phishing email, the same tactics PhishMe simulates in our data entry scenarios.
While Outbrain succumbed in similar fashion to the other victims of the SEA, its response was not nearly as encouraging. This quote was particularly troubling: “Outbrain’s system was compromised as a result of a simple phishing attack. Our system was not hacked, firewalls were not infiltrated and no personal or customer data was taken.”
We’re not quite sure how an organization can admit to being compromised in one sentence and then state it had not been hacked in the next. It’s also important to note that data-entry attacks like this one employ no malware, so any network and endpoint malware detection technologies Outbrain had in place could not have stopped this attack. Technical defenses are irrelevant if employees give attackers their login credentials.
Outbrain seems to think that being compromised by such a simple attack lessens the severity of the issue. Simple attack methods don’t mean the consequences of that attack won’t be severe, and it’s discouraging to see an organization try to brush off being compromised by a phishing attack.
This response is a bit of a 180 from what we usually see. As we discussed in March, many organizations try to emphasize the complexity and sophistication of the attacks that compromise their systems.
Perhaps no customer data was taken, but as the FT’s response detailed, the SEA isn’t interested in collecting customer data, rather it is interested in gaining access to Western media outlets and using their various platforms to broadcast its message. By using Outbrain to hack the websites of media outlets, the SEA got exactly what it wanted from its simple phishing attack. As long as adversaries can achieve their goals through phishing emails, why should they bother trying to penetrate a firewall?
To Outbrain’s credit, it mentions that it will institute staff training as a result of this breach. Hopefully this training will be immersive and simulate the same tactics adversaries like the SEA are using every day.
The fact that the SEA has continued to successfully hack organizations through data-entry phishing attacks –despite the notoriety the group has gained as well as the fact that outlets like The Onion and Financial Times have exposed the tactics the SEA uses – show that there is still a significant gap when it comes to employee awareness.
Attackers tend to see an effective method and replicate it. The SEA has now carried out a number of successful data entry attacks against high-profile targets. Who else is having success with these methods? Will we see an uptick in this type of attack?