Working in the cyber industry, it's so frustrating to see companies claim that they were done over by "sophisticated attacks" like phising!
I understand it from the PR points angle, but I always cringe. I hope others see through it too.
I guess we'll wait to see what they actually stole when they post the ransom.
For example, if you select a target and collect information in order to tailor the attack, or you use inside information to prey on a flaw (such as security fatigue), that's at least more sophisticated than a typical phishing email.
Not that I disagree with your take about the PR angle.
> As in most phishing campaigns, the attacker sent out plausible-sounding prompts pointing employees to a website that cloned the behavior of our intranet gateway, in an attempt to steal credentials and second-factor tokens.
Creating a replication of their intranet gateway requires recon to know what gateway they use, (if they use a custom api) recreate that api, and finding who to actually send the fake page to.
I’d call this spear fishing. That’s sophistication. Recon and tailoring to the target is sophisticated. It may not be super complicated, but it shows sophistication.
Sophistication is a spectrum between ”hey mister, and I have your credentials?” and nationstate APT’s.
If you aren't using hardware auth to authenticate to corporate internal resources, your IT department is negligent or incompetent or both.
I literally have advanced protection turned on for a small four person single location retail operation I am involved with, simply for the PII of a few hundred people that they have to handle. The little USB/NFC fobs are $15.
There is no excuse other than incompetence.
But not using hardware based 2FA doesn't make the IT department, completely negligent or incompetent.
Most companies I know if they are using MFA are using Microsoft Authenticator soft tokens through their enterprise 365 environments.
You're right, it isn't. It's just Reddit admins lying through their teeth, it's their usual. Almost like they take most of the current Reddit userbase as braindead. (Spoilers: they might be right.)
In this specific case they're lying to not make it so obvious that they're pretty much incompetent to manage their site.
At the moment, it's the easiest way into a network. So everyone is doing it.
You might be good at cracking phishing simulation at your workplace, but many people won’t know if “amazon.example.com” or “example.amazon.com” is real. This is of course something good filter will pick up, but consider how hard it is to make sure 0 employees fall to the attack.
Also, even 2FA can get compromised with notification spam, that’s how it played out in one of the attacks couple of years ago.
You're confusing "sophisticated" with "efficient". Phishing is efficient but unsophisticated; it boils down to one of the oldest tricks ever, to make you believe that $foo is $bar.
Just because phishing is common, doesn't make it sophisticated.
nothing important
Reassuring if true.
Together with the contact info that could be basis for the next attack.
> in an attempt to steal credentials and second-factor tokens. > > After successfully obtaining a single employee’s credentials
So was the attempt to steal second-factor successful or was it the account of an employee without 2FA that was compromised?
Because then...
On the page as to how to set up 2FA linked from TFA:
https://reddithelp.com/hc/en-us/articles/360043470031-What-i...
> "After setup, you may be asked to log out and log back in to your account. Moving forward, you’ll need to enter a 6-digit code from your authenticator app every time you log in to Reddit."
There's 2FA and 2FA. TOTP like Google Authenticator giving these six digits are easy to phish.
I much prefer FIDO(2) devices and the webauthn protocol (Chrome doesn't even allow U2F anymore but webauthn is backward compatible with old security keys), especially when the device uses a different method for registering a service the first time and for then authenticating to that service (for example by using a different PIN for registering and for authenticating or by displaying on the device itself if you're registering or authenticating).
