December 5, 2024

The most recent hack of a well known firm highlights that attackers are more and more discovering methods round multifactor authentication (MFA) schemes — so workers proceed to be an vital final line of protection.

On Jan. 9, Reddit notified its customers {that a} risk actor had efficiently satisfied an worker to click on on a hyperlink in an electronic mail despatched out as a part of a spearphishing assault, which led to “a web site that cloned the habits of our intranet gateway, in an try to steal credentials and second-factor tokens.” 

The compromise of the worker’s credentials allowed the attacker to sift by way of Reddit’s methods for a number of hours, accessing inner paperwork, dashboards, and code, Reddit stated in its advisory.

The corporate continues to research, however there is not any proof but that the attacker gained entry to consumer knowledge or manufacturing methods, Reddit CTO Chris Slowe (aka KeyserSosa) stated on a follow-up AMA.

“This can be very tough to show a detrimental, and likewise why, as talked about, we’re persevering with investigating,” he stated. “The burden of proof proper now helps that entry was restricted to outdoors of the principle manufacturing stack.”

Reddit is the most recent software program firm to fall prey to a social engineering assault that harvested staff’ credentials and led to a breach of delicate methods. In late January, Riot Video games, the maker of the favored League of Legends multiplayer sport, introduced it had suffered a compromise “through a social engineering assault,” with the risk actors stealing code and delaying the corporate’s skill to launch updates. 4 months earlier, attackers efficiently compromised and stole supply code from Take Two Interactive’s Rockstar Video games studio, the maker of the Grand Theft Auto franchise, utilizing compromised credentials.

The price of even minor breaches attributable to phishing assaults and credential theft continues to be excessive. In a survey of 1,350 IT professionals and IT safety managers, three-quarters (75%) stated that their firm had suffered a profitable electronic mail assault prior to now 12 months, in response to the “2023 Email Security Trends” report printed by Barracuda Networks, a supplier of software and knowledge safety. As well as, the common agency noticed its most costly such assault trigger greater than $1 million in damages and restoration prices.

Nonetheless, corporations really feel ready to take care of each phishing and spear-phishing, with solely 26% and 21% of respondents fearing they have been unprepared. That is an enchancment from the 47% and 36%, respectively, who anxious their corporations have been unprepared in 2019. Considerations over account takeover have turn out to be extra widespread although, the report discovered.

“[W]hile organizations might really feel higher geared up to stop phishing assaults, they don’t seem to be as ready to take care of account takeover, which is normally a by-product of a profitable phishing assault,” the report acknowledged. “Account takeover can also be an even bigger concern for organizations with the vast majority of their workers working remotely.”

Extra Proof That 2FA is Not Sufficient

To move off credential-based assaults, corporations are shifting to MFA, normally within the type of two-factor authentication (2FA), the place a one-time password is distributed through textual content or electronic mail. Reddit’s Slowe, for instance, confirmed that the corporate required 2FA. “Yup. It is required for all workers, each to be used on Reddit as effectively for all inner entry,” he said during the AMA.

However methods like MFA fatigue or “bombing” — as seen with final fall’s Uber assault — make getting round 2FA a easy numbers sport. In that state of affairs, the attackers ship out repeated focused phishing assaults to workers till somebody will get uninterested in the notifications and offers up their credentials and the one-time password token.

Shifting to the following degree past 2FA is beginning to occur. Suppliers of id and entry administration applied sciences, as an example, are including extra info round entry requests, such because the consumer’s location, so as to add context that can be utilized to assist decide whether or not entry must be authenticated, says Tonia Dudley, CISO at Cofense, a phishing safety agency.

“Risk actors will all the time search for methods to navigate across the technical controls we implement,” she says. “Organizations ought to nonetheless implement using MFA and proceed to tune the management to guard workers.”

Workers Are Key to Cyber Protection

Paradoxically, the Reddit hack additionally demonstrates the benefits that worker coaching can ship. The worker suspected one thing was incorrect after coming into credentials into the phishing web site, and shortly after contacted Reddit’s IT division. That diminished the attacker’s window of alternative and restricted the harm.

“It is time we cease wanting as workers as a weak point and as an alternative them because the energy they’re, or may be, for organizations,” Dudley says. “Organizations can solely tune the technical controls to this point … workers can supply that further context of, ‘this simply does not appear proper.'”

The worker on the middle of the Reddit breach is not going to face long-term, punitive motion, however did have all entry revoked till the issue was resolved, Reddit’s Slowe said within the follow-up AMA.

“The issue, as ever, is that it solely takes one particular person to fall for [a phish],” he said, including, “I am exceedingly grateful the worker, on this case, reported that it occurred after they realized it occurred.”