Outside Vendors Used as Bait for Phishing Scams

We do our best to secure our homes from thieves and criminals. We install security systems, use strong passwords on our wifi, and get a dog–but the best security in the world won’t help if you invite a criminal into your home. And the same logic holds true for your business.

It’s not enough to make sure your own network is secure, who you work with and their security protocols matter too.

Remember the Target Breach? The hackers came in through a trusted third party vendor.

Partnering with a third-party organization can be a great help, but what happens if that third party falls victim to a cybersecurity attack? Not only could your organization’s shared data be exposed, but you may become the target of a very unique phishing attack.

“Target remains the most significant breach in history because it was the fist time the CEO of a major corporation got fired because of a data breach,” said John Kindervag, vice president and principal analyst on risk for research firm Forrester. “You can’t underestimate that in terms of getting people’s attention. People started taking credit card security seriously — before that, it was just a pain-in-the-neck compliance issue.”

The attackers gained access to Target’s network on November 27, 2013. As first reported by security blogger Brian Krebs, the breach started after a phishing email duped an employee of Target third-party vendor Fazio Mechanical, allowing Citadel, a password-stealing bot variant, to be installed on Fazio computers. Once Citadel successfully snagged Fazio’s login credentials, the attackers breached Target’s Ariba vendor portal, gained entry into the retailer’s internal network and took control of Target servers.

Once a scammer has access to a third party’s email account, they can use it to send phishing emails from a legitimate and familiar email address. Some cybercriminals take this attack a step further by forwarding or replying to real emails that were already in the third party’s inbox. Posing as the original sender, the bad guy sends a simple message such as “Here’s that document you needed.” and includes their own malicious link or attachment. Typically, the phishing email is completely unrelated to the original email but the attack can still be convincing because it appears to be part of a previous conversation.

Don’t fall for the scam!  Tips to to stay safe from third-party phishing attacks:

• Never click a link or download an attachment from an email that you weren’t expecting—even if it appears to be from someone you know.
• Read the prior conversation and compare it to the newest email. If you find that the information is unrelated or if the sender never mentioned a link or an attachment previously, this could be a phishing attack.
• If you’re unsure whether or not an email is legitimate, reach out to the sender by phone. One quick call could save your organization from a potential data breach.

If you need help with cybersecurity services for your business contact DarkHound at [email protected].

Sources: ww.zdnet.com/article/the-target-breach-two-years-later/

knowbe4

Image Source: https://www.pexels.com/photo/woman-wearing-blue-jeans-riding-red-shopping-cart-2321438/