
Snapchat Employee Data Leaks Out Following Phishing Attack - choult
http://techcrunch.com/2016/02/29/snapchat-employee-data-leaks-out-following-phishing-attack/
======
escobar
So this looks like HR or someone from inside snapchat got a phishing email and
happily obliged and sent off a bunch of sensitive information without
confirming that it should all be shipped over (unsecure) email.

I do work for some higher ed institutions, and almost every year without fail
we have seen (and dealt with) successful phish attempts of various staff
members... it's usually something small like a credit card number, but it
still amazes me how an email that may look "very suspicious" to me doesn't set
of a flag for someone else who isn't really thinking about this type of
attack.

~~~
mfoy_
Social engineering attacks will probably be a thorn in security's side for a
very long time, if not indefinitely... There's a sort of fundamental
disconnect inherent in "Trust the system! It's secure! Except be careful
because sometimes something that is not the system will pretend to be the
system..."

~~~
lazaroclapp
We keep treating falling for phishing emails as a user error. But, perhaps,
having our most "official" means of communicating online (email) be a protocol
that has no identity verification, no authentication and no encryption, is
actually a technical bug, not a human one.

I mean, you would expect that we should at least be able to tell that if you
get a x@snapchat.com email in your y@snapchat.com inbox, it actually came from
x who works at Snapchat. However, that is (in general), not how email works,
for some reason (yes, I know, ancient protocol, tons of stakeholders, identity
is hard, but come on...).

~~~
josho
I thought we had this through SPF. Ie. Your mail server can reject mail if the
domain doesn't match spf records in dns.

Maybe it's time to start something like an SPF Everywhere campaign.

~~~
lazaroclapp
SPF Everywhere would be a start. But, as currently deployed, at least, SPF is
nowhere near enough. I do research in security, and even I often have no clue,
when faced with a new corporate email system, whether the email addresses I
see can or can't be forged, depending on domain.

Hell, if I get bob@company.com on my Gmail inbox, I cannot really tell whether
even the @company.com part has been authenticated or not. There isn't even an
HTTPS like lock icon or anything, let alone a "Google has verified that this
email comes from Amazon.com" assurance.

------
nostromo
Every company should inform their employees of the email impersonation scams
going around.

> In the scam, a criminal mimics a chief executive’s email account and directs
> an employee to wire money to an overseas bank account. By the time the
> company realises it has been duped, the money is gone.

> [This scam] has cost businesses around the globe more than $2bn in little
> over two years, according to the US Federal Bureau of Investigation," with
> more than 12,000 victims, some of which "have been tricked into sending as
> much as $90m to offshore accounts."

[http://www.ft.com/intl/cms/s/0/83b4e9be-
db16-11e5-a72f-1e774...](http://www.ft.com/intl/cms/s/0/83b4e9be-
db16-11e5-a72f-1e7744c66818.html)

~~~
forgetsusername
I'd go a step further and say it's a failing of management and process at said
company if any employee felt that the CEO emailing for payroll information was
"normal".

~~~
jtfairbank
Agreed. We setup our bank account to require two signers to approve any wires,
and they gave us a Key Fob for two factor authentication for wires.

As the company scales, we may add other people like a CFO to the bank account,
but we will always require two people to authorize wire transfers.

------
jetsnoc
I manage a small Security team where I work. We have a very good security
awareness training program we've built out over the years. I'm biased, of
course. I helped build it. We may never solve the human aspect of security
entirely. However, we have one thing in particular that works well.

The most effective part of our program is the internal phishing attempts. They
aren't annually or quarterly but almost monthly and sometimes weekly. It works
very, very well and keeps phishing at the top of everyone's mind. There is
nothing quite like teaching someone how easy it is to be caught off guard by
showing them how easily someone can be phished and how they took the bait. It
disarms them and the ego part of the conversation. It makes it a
psychologically safe element of the corporate culture. It changes the
conversation from "You're a dummy <3 SecOps" to "It can happen to anybody. In
fact it's happened to a number of important and very smart people here. Stop,
Look and Think before you click or fill out that form or send that
file/information."

It's an interesting part of our security awareness program. In fact, we've
built out a small application that sends the phishing email with a remote <img
/> to track the email view(see the bait).

We then track them hitting the link through a unique URL (taking the bait),
and track the final push of a login button or web-form (swallowing the hook
entirely.)

It allows us to track how effective the campaign is and understand who may
need some remedial training and of course how we can better improve the
security awareness training because if a high percentage take the bait, the
security awareness training wasn't effective.

In fact, I sent this article around the office this afternoon and sometime
mid-week, plan to send another phishing attempt to see if it helped.

This strategy of course requires an organization to be fairly emotionally
intelligent and have the right corporate culture. One of trust and
transparency in a psychologically safe environment where people aren't mocked
or made fun of but properly educated if they take the bait. I know that this
kind of culture may not be the norm.

NOTE: We don't have as much to secure as a SnapChat and we aren't a high
profile target. We just figured these things were the bare-minimum things to
do to protect our employees and our customers.

~~~
tomjen3
That's one way to do it. The problem, and that happened to me was writing lol
phishing in a reply when it really was the person who sent the information
request.

These days I just delete such emails sight unseen. Also I block external
images or at least used to just because.

------
doctorpangloss
> Snapchat isn’t being too specific — this is sensitive — but payroll
> information could include salary data, social security numbers, bank
> details, addresses, emails and other personal ID which, in the hands of the
> wrong people, could create headaches for those affected.

The scammers asked for W2 tax forms. They use this to collect your refund.
This has happened to dozens of startups in LA, among other businesses,
ironically the ones which have HR departments.

------
dewitt
Once we get past the predictable schadenfreude, it's crazy to think how easily
this could happy to, or because even of, any one of us.

Do you think you'd think twice before responding to a mail from your manager
asking for information that they had reason to ask for? Would you challenge
them to verify themselves over the phone at 11:00 PM, just to be sure no one
spoofed their email address?

I bet I wouldn't, and I'm paranoid.

~~~
viraptor
But unless you actually break into someone's account, email spoofing should be
a solved problem. Sure, you can set the from field to whatever you want, but
in a typical company scenario, it will look very different in outlook - it
will actually display the sender's email, and if you try to spoof that, you'll
just get rejected at the server.

Now if you ignore that and respond anyway... well, there's not much anyone can
do about that.

~~~
wickawic
Serious question: what would it look like on a smartphone email client?

~~~
viraptor
No idea. Work email doesn't go anywhere close my smartphone.

~~~
paulddraper
How do you reply to emails at 11pm? ;)

------
adsche
Related recent report by Brian Krebs:

[https://krebsonsecurity.com/2016/02/phishers-spoof-ceo-
reque...](https://krebsonsecurity.com/2016/02/phishers-spoof-ceo-
request-w2-forms/)

------
jwcrux
Sadly these spoofed emails from high ups are becoming all too common.

Shameless plug - if anyone is in need of an open source phishing training
solution, I recently launched gophish to great feedback so far, and have a new
version being dropped early next week:
[https://getgophish.com](https://getgophish.com).

Everyone should have access to training to prevent this as much as possible.

~~~
rando3826
Feedback. I can't get much from your screenshots since I can't expand them and
they are too small to read anything. I don't know what a "simulated phishing
campaign" is, what results I might get out of it, I just don't really
understand the whole purpose / process, and you don't any info other than the
phrase "simulated phishing campaign" to explain what the thing does. So, I can
create simulated phishing email, I can see who opens them. I can do this
easily. But we're missing something. What does a simulated phishing email
accomplish? What does a user get out of it? What would one look like? When
would I send one?...

~~~
jwcrux
Great feedback, thanks! We're working on a new landing page that hopefully
shows this in action a bit more, as well as provides a bit more information on
why you might want to use gophish and when.

I'll keep this feedback in mind. Very helpful!

------
tttttthrowaway
Based on recent experiences with the hip new investment company that
administer's my employer's 401(k) as well as HR, I wouldn't be surprised if
much of the data wasn't even considered confidential by the people handling
it.

Minor rant: The 401(k) provider regularly sends a plaintext deposit
confirmation email (deposit amount, confirmation number) with each payroll
cycle. Any time a change in contribution amount is changed, they send a
plaintext email with the new contribution percentage. Occasionally they send
plaintext statements containing dividend amounts.

When asked to stop sending these e-mails, the 401(k) administrator replied
that it wasn't possible, supposedly due to the way they integrate with they
integrate with a 3rd party mail provider. (what?)

------
mercora
I previously worked for a large Bank and they had authenticated email using
Lotus Notes. While i would not recommend using that, it was nice to see them
taking this serious. It was required to use it for every internal
communication and actually made it seriously easy to use without knowing much
about how it really works.

Its much easier to teach people to access their emails using a particullar
application then it is to make them aware for phising attacks which sometimes
can be very sophisticated.

While this does not work if you have to receive emails from unknowns, it is a
no brainer to use something like this at a comapny level for all online
communication. In my opinion not doing so is really careless behaviour
especially for a tech company...

~~~
jcrawfordor
Microsoft Exchange allows for implementation of S/MIME encryption and signing
that more or less "just works." There are some naggles (I've run into people
before whose Outlook was S/MIME signing emails to external uses, and my
Outlook would be upset about showing them since the external user's cert was
signed by some internal CA I didn't trust - if I didn't know what was going on
that have lead to a frustrating helpdesk call). But, overall, it's nearly
transparent when everything is as it should be.

Unfortunately, outside of the world of these internal corporate email products
the situation looks a lot worse. Reliably secure delivery of email to external
users is a hard problem and most of the current solutions being used are
really, really terrible.

------
calvinbhai
I just couldn't believe this story, especially after having read the exact
same attack a week back on [http://krebsonsecurity.com/2016/02/phishers-spoof-
ceo-reques...](http://krebsonsecurity.com/2016/02/phishers-spoof-ceo-
request-w2-forms/) !!!!!

------
dvt
If the compromised data somehow becomes public, a class-action suit (a la
Sony) is not out of the question. At least Snapchat is trying to get ahead of
the problem which undoubtedly helps them in the court of public opinion.

~~~
niij
The Sony case affected customers, apparently this breach only affects
employees. I find it hard to believe the employees would file a class action
lawsuit against their own employer.

~~~
dvt
This is incorrect, the Sony case affected employees[1]: "the exposure revealed
personal information for an estimated 3,000 former and current Sony
employees."

[1] [http://deadline.com/2015/09/sony-hacking-lawsuit-
settlement-...](http://deadline.com/2015/09/sony-hacking-lawsuit-settlement-
employees-identity-theft-1201513280/)

------
rdl
Certainly sounds like a CISO would be a good hire for them.

------
jonesb6
This title could've been editorialized a lot and I'm really glad it wasn't.

