Stuart Gentle Publisher at Onrec

Spear-Phishing, News and Twitter Accounts: Why Corporate Credentials Must be Protected

The Daily Telegraph is the latest victim in a series of high-profile attacks against media organizations

The Daily Telegraph is the latest victim in a series of high-profile attacks against media organizations.  The group that is behind these attacks, the ‘Syrian Electronic Army’ (SEA), has hijacked Twitter accounts and online operations of several media organizations, including the Financial Times, The Guardian, Associated Press, Al Jazeera, the BBC, and even the satirical newspaper ‘The Onion’. Hacking into Twitter accounts provides the hacktivist group with a new way to influence global agendas and censor the press. But the risk can be much higher. If instead of targeting Twitter accounts the hackers take over enterprise employee accounts, and access critical enterprise systems, the impact to the organization can be devastating.

In fact, enterprise user accounts were compromised in order to compromise ‘The Onion’s Twitter account.  A detailed explanation posted by techies at ‘The Onion’ provides good insight into how this attack progressed: Hacktivists at the SEA sent emails to some of The Onion employees. The messages included a link to what appeared to be a Washington Post story. However, the link directed the users to a bogus Google URL, which asked for Google Apps credentials before redirecting users to the Gmail login page. At least one employee entered their credentials, and by doing so, exposed their Google login credentials to the attackers. Using these credentials the attackers were able to login and send the same phishing email on behalf of the compromised user. Coming from a trusted address, more employees clicked the link. Although most employees refrained from entering their credentials, two staff members did enter them. One of these employees had access to all of The Onion’s social media accounts.

After discovering an account had been compromised, The Onion IT department sent a company-wide email requesting that employees change their passwords immediately. After seeing this email, the attackers used a different compromised account to send a similar password-reset email, which included a link to a phishing site. This email wasn’t sent to members of the tech or IT teams, so it went undetected. This final phishing attack compromised an account that was used for The Onion’s Twitter account.

As this story demonstrates, corporate credentials used by employees for logging into critical corporate web systems, like Google Apps and email, are valuable to hackers and phishing schemes that expose these credentials can pose significant risk to the organization. It is therefore critical to protect the employees’ enterprise credentials, especially those used for logging into web applications and online publication systems and prevent employees from submitting their corporate credentials to phishing sites.

User education is not enough

In the post, ‘The Onion’ techies’ first recommendation is to educate users not to click on suspicious links, even when sent by what seems to be a trusted resource. But our experience shows that user education isn’t enough: Attackers are using sophisticated schemes to manipulate users. Even the smartest, most educated employees can be fooled. And, if only one single employee account is compromised, it can enable a corporate breach with devastating results.

Trusteer Apex protects employee credentials from such phishing attacks by validating that employees are submitting their credentials only to authorized enterprise web-application login URLs. If a user attempts to submit his/her enterprise credentials to an unauthorized URL, Trusteer Apex will require the user to provide different credentials.   So even if a user is manipulated to access what seems to be a legitimate site, like the Google Apps login page that is actually a phishing site, Trusteer Apex won’t let users submit their corporate credentials.

Trusteer Apex also prevents corporate employees from re-using their corporate credentials to access non-corporate, public applications like Paypal, e-Bay, Facebook or Twitter. Trusteer Apex requires users to provide different credentials for such applications, to lower the risk of credentials exposure.