Multiple organizations report Phishing attacks targeting employee data

Within the last few weeks, four organizations have confirmed Phishing attacks targeting employee data. In three of those cases the attacks were successful, leading to breach notifications. One of the targeted firms was a security company, and luckily the attack failed.

Spear Phishing is a targeted Phishing attack, but one variant of a Spear Phishing attack has spiked in popularity over the last year or so. It’s called BEC, or Business Email Compromise. It’s a Phishing attack that targets businesses, and uses corporate email as the attack path.

BEC attacks are personal, rarely automated, and when messages are exchanged it’s the attacker talking on the other side. If done right, the victim will never know something’s wrong until it’s too late.

The attacker spoofs the look of a legit company email (including email address, Outlook images, etc.) and impersonates someone in a position of power. The leverage is fear, because most employees don’t want to deny a request form the CEO. Sometimes, a key email account is compromised directly and used to stage a BEC attack.

BEC attacks aren’t rushed, and thanks to social media and basic website design, most attackers can get the profiling data needed just by casually browsing LinkedIn and the corporate website.

In a report set for release tomorrow, PhishLabs said the number of organizations targeted with BEC attacks grew tremendously in 2015 as attackers refined their techniques and sought new victims. In all, 22 percent of Spear Phishing attacks the company analyzed in 2015 were motivated by financial fraud or related crimes.

“BEC attacks target smaller more nimble organizations, where exceptions to standard accounting processes are more likely to be made based on personal requests from members of the executive team. Analysis of attack indicators shows that in most cases, targeting requires very little effort. BEC attackers appear to glean the information they need from readily-available public sources and business networking sites,” the report explains.

There have been four public disclosures of BEC attacks in the last few weeks, and only one of them was a failure. In each case, the attacker was targeting employee data, and the presumption is that the compromised records are part of a larger scheme to commit tax fraud.

The first confirmed attack is Magnolia Health Corporation in California.

As reported earlier this morning on Salted Hash:

On February 3, 2016 someone impersonated Magnolia’s CEO (Kenny Moyle) by sending a spoofed email. The email appeared to have the proper address, naming scheme, and by all accounts looked legitimate.

The forged email requested personal information for all active employees of Magnolia and each of the facilities managed by them, including Twin Oaks Assisted Living, Inc., Twin Oaks Rehabilitation And Nursing Center, Inc., Porterville Convalescent, Inc., Kaweah Manor, Inc. and Merritt Manor, Inc.

The Phishing attack was successful, and the attacker walked away with an Excel spreadsheet containing employee number, full name, address (city, state, zip) sex, date of birth, Social Security Number, hire date, seniority date, salary/hourly status, salary/rate, department, job title, last date paid, and assigned facility. The attack wasn’t discovered until February 10.

The second attack also happened on February 3. BrightView, a company formed after Brickman Group and ValleyCrest Companies merged their landscaping businesses in 2014, issued breach notifications employees in California.

The notice reported that a Phishing email led to the compromise of full names, job title and division, employee ID, hourly rate, current work status, last paid date, annual salary, home address, date of birth, and Social Security Number. The attack was discovered 24-hours later on February 4.

The third attack happened on February 5. Polycom, the communications company that is known for their video and telephone conferencing offerings, disclosed a Phishing attack that targeted employee data. The attack was successful and compromised names, addresses, date of birth, Social Security Number, and salary information.

The fourth attack this month failed. First reported by journalist Brian Krebs, the CEO of KnowBe4 – a security company that deals with awareness training against Phishing and Social Engineering – reported that he was impersonated, and that the attacker attempted to get the company’s new CFO to turn-over W2 information. Given the business that KnowBe4 is in, awareness training is what prevented disaster in this case. The email and request just didn’t feel right.

One thing KnowBe4 mentioned in a press release on the incident is that the attackers used a compromised GoDaddy server to send their email. This fact was also observed by PhishLabs, and marked as a new development in BEC cases.

Earlier this month, the Treasury Inspector General for Tax Administration said they’ve received 896,000 of fraudulent tax-related contacts since October 2013. In addition, the report noted that more than 5,000 victims who have collectively paid over $26.5 million due to fake tax collection and IRS impersonation scams.

Records like those compromised by the attacks reported this month are all a criminal needs to commit tax fraud. According to the FTC, tax refund fraud is their largest and fastest growing ID theft category.