The Resurgence of Data-Entry Phishing Attacks

‘Old School’ email social engineering or data-entry phishing is an attack method that has been on the rise in recent months, notably employed by the Syrian Electronic Army to hack seemingly every major media outlet in the Western hemisphere, and possibly responsible for other high-profile breaches.

A Target spokesperson confirmed last week that attackers initially gained access to the company systems through stolen credentials obtained through a vendor. While Target has not confirmed the exact method through which the credentials were stolen, one possible scenario is that attackers sent a spear-phishing email to the vendor, obtained valid login credentials for Target, and used those credentials to gain a foothold in Target’s network.

Syrian Electronic Army continues to carry out successful data-entry phishing attacks

When the Syrian Electronic Army nailed a number of prominent media outlets earlier this year, we were pleased to see a number of open and honest responses from those that were breached, notably from The Onion and The Financial Times.

Last week, the SEA was at it again, successfully hacking content recommendation service Outbrain, an attack which provided a foothold to compromise media behemoths The Washington Post, Time, and CNN. The SEA attacked Outbrain with largely the same tactics it has used so successfully in the past few months, by eliciting log-in credentials through a phishing email, the same tactics PhishMe simulates in our data entry scenarios.

2-factor authentication wouldn’t have prevented AP Twitter hack

When a hacked Twitter account spreads false news of an explosion at the White House and causes hysteria that spurs a 140 point drop in the stock market, it should encourage calls for Twitter to bolster its security measures, so it’s no surprise that many are clamoring for Twitter to offer 2-factor authentication. One problem with this – news outlets are reporting that hackers gained access to the AP’s account through a phishing attack. While 2-factor authentication makes it more difficult to phish an account, it will not prevent this type of attack from being successful (nor will a more complex or longer password for that matter).