Hacker News new | past | comments | ask | show | jobs | submit login
Snapchat Employee Data Leaks Out Following Phishing Attack (techcrunch.com)
108 points by choult on Feb 29, 2016 | hide | past | web | favorite | 58 comments

So this looks like HR or someone from inside snapchat got a phishing email and happily obliged and sent off a bunch of sensitive information without confirming that it should all be shipped over (unsecure) email.

I do work for some higher ed institutions, and almost every year without fail we have seen (and dealt with) successful phish attempts of various staff members... it's usually something small like a credit card number, but it still amazes me how an email that may look "very suspicious" to me doesn't set of a flag for someone else who isn't really thinking about this type of attack.

Social engineering attacks will probably be a thorn in security's side for a very long time, if not indefinitely... There's a sort of fundamental disconnect inherent in "Trust the system! It's secure! Except be careful because sometimes something that is not the system will pretend to be the system..."

We keep treating falling for phishing emails as a user error. But, perhaps, having our most "official" means of communicating online (email) be a protocol that has no identity verification, no authentication and no encryption, is actually a technical bug, not a human one.

I mean, you would expect that we should at least be able to tell that if you get a x@snapchat.com email in your y@snapchat.com inbox, it actually came from x who works at Snapchat. However, that is (in general), not how email works, for some reason (yes, I know, ancient protocol, tons of stakeholders, identity is hard, but come on...).

I thought we had this through SPF. Ie. Your mail server can reject mail if the domain doesn't match spf records in dns.

Maybe it's time to start something like an SPF Everywhere campaign.

SPF Everywhere would be a start. But, as currently deployed, at least, SPF is nowhere near enough. I do research in security, and even I often have no clue, when faced with a new corporate email system, whether the email addresses I see can or can't be forged, depending on domain.

Hell, if I get bob@company.com on my Gmail inbox, I cannot really tell whether even the @company.com part has been authenticated or not. There isn't even an HTTPS like lock icon or anything, let alone a "Google has verified that this email comes from Amazon.com" assurance.

SPF doesn't really do anything to prevent this. It can only protect the return path address, the scammer is free to use whatever From and Reply-To headers they like in the email itself - they don't really care if a bounce goes to the wrong place.

DMARC protects the From header, but isn't widely deployed.

In fact in my experience 99% of users are unaware that anyone can post an email on behalf of someone else's email address, even users under 30.

Of course, because, well, unless you know the whole story of email, down to knowing what SMTP is, there is zero reason to expect that the from address of your email client lies to you. Which is also why all web traffic should be over TLS, because the same can be said of domain names. This is one area of security where our systems really should be made to match the user's expectation, and not the other way around. This is not a "grampa doesn't understand the interwebs" sort of issue, this is clearly broken design.

Non-envelope headers on emails are arbitrary. "From" (as opposed to Envelope-From) is one of these. Some mail clients looking at you, Outlook) just display the minimum amount of data including From, and make it non-obvious that this is not really where the mail was from. You only see this difference in address when you hit reply.

We had a phishing attack on an employee in accounting that was stopped in progress and just in time before a bank transfer took place. The emails in question passed SPF as they weren't actually from another user in our domain.

Adopt PGP signatures as a requirement on emails that include sensitive data. It should be easy enough to have an internal key server and a company key that counter signs all valid company keys. Require the key only be used for signing and kept on a usb stick.

S/MIME and X.509 is a lot more common than PGP signatures -- support for it is built in to most MUAs. Also, typically the keys are on smartcards rather than USB devices where the private key could be accessed.

Or just buy everyone in your company a yubikey that is already set up and ready to go?

I'd even argue that social engineering has been the primary security problem since the birth of the internet.

Much before the Internet.

But how could you be social before the internet?

Sending requests by mail with official looking letterheads for example.

Or fake invoices. I get them regularly.

Phone calls too


An unknown person told the manager on the phone that they were with the fire department and needed to conduct a diagnostic test on the fire system, police said. The manager followed instructions and turned on the restaurant’s fire suppression system. The caller then said what the manager had done had caused a gas leak, so everyone had to evacuate the restaurant and the employee was told to break all the windows to avoid an explosion.

Wendy’s employees complied and smashed every single window, while waiting for the fire department to show up. Once officials arrived, they confirmed the call was a hoax.

This got to the point where I actually tossed a real invoice thinking it was a fake one... That lesson cost me 40 euros in extra fees.

Ask Frank Abagnale Jr. That was ten years before even ARPANET.

I have seen so many stores of this on reddit. People's HR departments sending sensitive information to random phishing emails. It seems a little ridiculous that we're still trusting these people with our data.

Honestly, given that you can send these kinds of emails out to like 100 people at a time, i'd be more surprised if it didn't work at least once.

Every company should inform their employees of the email impersonation scams going around.

> In the scam, a criminal mimics a chief executive’s email account and directs an employee to wire money to an overseas bank account. By the time the company realises it has been duped, the money is gone.

> [This scam] has cost businesses around the globe more than $2bn in little over two years, according to the US Federal Bureau of Investigation," with more than 12,000 victims, some of which "have been tricked into sending as much as $90m to offshore accounts."


I'd go a step further and say it's a failing of management and process at said company if any employee felt that the CEO emailing for payroll information was "normal".

Agreed. We setup our bank account to require two signers to approve any wires, and they gave us a Key Fob for two factor authentication for wires.

As the company scales, we may add other people like a CFO to the bank account, but we will always require two people to authorize wire transfers.

I manage a small Security team where I work. We have a very good security awareness training program we've built out over the years. I'm biased, of course. I helped build it. We may never solve the human aspect of security entirely. However, we have one thing in particular that works well.

The most effective part of our program is the internal phishing attempts. They aren't annually or quarterly but almost monthly and sometimes weekly. It works very, very well and keeps phishing at the top of everyone's mind. There is nothing quite like teaching someone how easy it is to be caught off guard by showing them how easily someone can be phished and how they took the bait. It disarms them and the ego part of the conversation. It makes it a psychologically safe element of the corporate culture. It changes the conversation from "You're a dummy <3 SecOps" to "It can happen to anybody. In fact it's happened to a number of important and very smart people here. Stop, Look and Think before you click or fill out that form or send that file/information."

It's an interesting part of our security awareness program. In fact, we've built out a small application that sends the phishing email with a remote <img /> to track the email view(see the bait).

We then track them hitting the link through a unique URL (taking the bait), and track the final push of a login button or web-form (swallowing the hook entirely.)

It allows us to track how effective the campaign is and understand who may need some remedial training and of course how we can better improve the security awareness training because if a high percentage take the bait, the security awareness training wasn't effective.

In fact, I sent this article around the office this afternoon and sometime mid-week, plan to send another phishing attempt to see if it helped.

This strategy of course requires an organization to be fairly emotionally intelligent and have the right corporate culture. One of trust and transparency in a psychologically safe environment where people aren't mocked or made fun of but properly educated if they take the bait. I know that this kind of culture may not be the norm.

NOTE: We don't have as much to secure as a SnapChat and we aren't a high profile target. We just figured these things were the bare-minimum things to do to protect our employees and our customers.

That's one way to do it. The problem, and that happened to me was writing lol phishing in a reply when it really was the person who sent the information request.

These days I just delete such emails sight unseen. Also I block external images or at least used to just because.

> Snapchat isn’t being too specific — this is sensitive — but payroll information could include salary data, social security numbers, bank details, addresses, emails and other personal ID which, in the hands of the wrong people, could create headaches for those affected.

The scammers asked for W2 tax forms. They use this to collect your refund. This has happened to dozens of startups in LA, among other businesses, ironically the ones which have HR departments.

Once we get past the predictable schadenfreude, it's crazy to think how easily this could happy to, or because even of, any one of us.

Do you think you'd think twice before responding to a mail from your manager asking for information that they had reason to ask for? Would you challenge them to verify themselves over the phone at 11:00 PM, just to be sure no one spoofed their email address?

I bet I wouldn't, and I'm paranoid.

Do you have access to data that would cause a news story if you sent it to the wrong person? If yes, then yes, verify it before sending.

Also, spoofing an email address wouldn't help. If you respond, it will go to the spoofed address, which is the correct one. They need to send it from their own email address, which means that you only need to verify that it's send from your manager's address, or just manually send it to your manager.

It's likely that their SMTP server accepts messages with an SMTP "MAIL FROM" command and/or "From" header address that belongs to the company's own domain without requiring authentication. The attacker then adds a "Reply-To" header so that replies will be sent elsewhere (likely a throwaway free email account).

This shows up in email clients as "From: legit.name@example.com". When the recipient replies, they don't notice that they're sending a reply to a different address than the one their client claimed was the sender of the original message.

Receiving SMTP servers need to be configured to require SMTP authentication for messages claiming to originate from the company's own domain.

> Receiving SMTP servers need to be hardened to require SMTP authentication for messages claiming to originate from the company's own domain.

Or validate SPF / DKIM and enable it for their own domain.

But unless you actually break into someone's account, email spoofing should be a solved problem. Sure, you can set the from field to whatever you want, but in a typical company scenario, it will look very different in outlook - it will actually display the sender's email, and if you try to spoof that, you'll just get rejected at the server.

Now if you ignore that and respond anyway... well, there's not much anyone can do about that.

We've been a target of this attack previously and it's not as simple as email spoofing as email addresses aren't (in Google Apps at least) displayed prominently, firstname.lastname@gmail.com with a corresponding name and profile picture is how we were targeted. Very easy to fall for (especially in companies that aren't strict about personal/professional email separation).

Serious question: what would it look like on a smartphone email client?

No idea. Work email doesn't go anywhere close my smartphone.

How do you reply to emails at 11pm? ;)

Don't reply to mails at 11pm might help, for a start.

I look at mail headers more often than necessary.

I would post it on slack. Figure I know who my manager is there and even if i didn't, at must it would end up somewhere in the company.

isn't this what DKIM and SPF and all those fancy email security things are for?

An attacker-controlled domain, say snaapchat.com, can pass DKIM, SPF, and DMARC if configured appropriately.

Better solution is to append a warning to any message that originates outside the domain.

This is actually a really good idea in corporate environments, and I would encourage everyone to think about doing it. It is a simple thing to push a rule to Outlook that e.g. displays emails from outside the corporate domain with a red tinted background in the email list. This helps people to think twice. It also compliments an email classification system well, although unfortunately most classification systems I've seen with good MUA integration are very expensive.

No, this is what OpenPGP signed mail is for.

Sadly these spoofed emails from high ups are becoming all too common.

Shameless plug - if anyone is in need of an open source phishing training solution, I recently launched gophish to great feedback so far, and have a new version being dropped early next week: https://getgophish.com.

Everyone should have access to training to prevent this as much as possible.

Feedback. I can't get much from your screenshots since I can't expand them and they are too small to read anything. I don't know what a "simulated phishing campaign" is, what results I might get out of it, I just don't really understand the whole purpose / process, and you don't any info other than the phrase "simulated phishing campaign" to explain what the thing does. So, I can create simulated phishing email, I can see who opens them. I can do this easily. But we're missing something. What does a simulated phishing email accomplish? What does a user get out of it? What would one look like? When would I send one?...

Great feedback, thanks! We're working on a new landing page that hopefully shows this in action a bit more, as well as provides a bit more information on why you might want to use gophish and when.

I'll keep this feedback in mind. Very helpful!

Based on recent experiences with the hip new investment company that administer's my employer's 401(k) as well as HR, I wouldn't be surprised if much of the data wasn't even considered confidential by the people handling it.

Minor rant: The 401(k) provider regularly sends a plaintext deposit confirmation email (deposit amount, confirmation number) with each payroll cycle. Any time a change in contribution amount is changed, they send a plaintext email with the new contribution percentage. Occasionally they send plaintext statements containing dividend amounts.

When asked to stop sending these e-mails, the 401(k) administrator replied that it wasn't possible, supposedly due to the way they integrate with they integrate with a 3rd party mail provider. (what?)

I previously worked for a large Bank and they had authenticated email using Lotus Notes. While i would not recommend using that, it was nice to see them taking this serious. It was required to use it for every internal communication and actually made it seriously easy to use without knowing much about how it really works.

Its much easier to teach people to access their emails using a particullar application then it is to make them aware for phising attacks which sometimes can be very sophisticated.

While this does not work if you have to receive emails from unknowns, it is a no brainer to use something like this at a comapny level for all online communication. In my opinion not doing so is really careless behaviour especially for a tech company...

Microsoft Exchange allows for implementation of S/MIME encryption and signing that more or less "just works." There are some naggles (I've run into people before whose Outlook was S/MIME signing emails to external uses, and my Outlook would be upset about showing them since the external user's cert was signed by some internal CA I didn't trust - if I didn't know what was going on that have lead to a frustrating helpdesk call). But, overall, it's nearly transparent when everything is as it should be.

Unfortunately, outside of the world of these internal corporate email products the situation looks a lot worse. Reliably secure delivery of email to external users is a hard problem and most of the current solutions being used are really, really terrible.

I just couldn't believe this story, especially after having read the exact same attack a week back on http://krebsonsecurity.com/2016/02/phishers-spoof-ceo-reques... !!!!!

If the compromised data somehow becomes public, a class-action suit (a la Sony) is not out of the question. At least Snapchat is trying to get ahead of the problem which undoubtedly helps them in the court of public opinion.

The Sony case affected customers, apparently this breach only affects employees. I find it hard to believe the employees would file a class action lawsuit against their own employer.

This is incorrect, the Sony case affected employees[1]: "the exposure revealed personal information for an estimated 3,000 former and current Sony employees."

[1] http://deadline.com/2015/09/sony-hacking-lawsuit-settlement-...

It's not unheard of for employees to file a class-action suit against their employer, but that typically only occurs in very large companies where there's a significant "divide" between the aggrieved employees and management. That seems rather unlikely in a company as small as Snapchat.

Certainly sounds like a CISO would be a good hire for them.

This title could've been editorialized a lot and I'm really glad it wasn't.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact