Seagate Hit By Targeted Phishing Attacks Seeking W2 Data

itwbennett writes: You can add Seagate to the growing list (now up to 7) of companies hit by malware seeking W2 data on employees. As reported on Slashdot, Snapchat disclosed the last weekend of February that someone had posed as the company's CEO and received payroll data on 700 employees. The other companies hit by similar phishing scams so far are Central Concrete Supply Co., Mercy Housing Inc., Magnolia Health Corporation, BrightView, and Polycom. Seagate learned of the incident on March 1, and the story was broken by Brian Krebs after a former employee received a notice and reached out to him.

Insurance

[Anonymous Coward]

Cyber insurance, for lack of a better word (shudder), is going to be big. It has to, given the number of attacks going on there is too much profit potential. As the products mature it will be interesting to see if the actuaries consider more fine-grained factors for pricing like:
- Will the standard policy end up disclaiming phishing attacks altogether?
- Will premiums vary significantly by the amount of equipment/software installed per vendor's security reputation? i.e. much higher premiums for Microsoft

Re:

[Salgak1]

You mean tricking an EX-employee. I assume Seagate has procedures about sensitive financial documents and Personally Identifiable Information (PII), And that employees have regular security training. The idiot in question got engineered, but was stupid enough to send the data without even making a phone call. . . .

Can concur

[RevDisk]

Know of a couple companies getting hit by this very attack. Zero technical aspect, just straight social engineering. "Hey, it's (CEO), do me a favor and send me a zip of all the W2s. I need this right away" or similar. Usually with forged email headers, but sometimes with similar domain names. One used a capital i instead of an L, which was admittedly hard to spot for an average user. They wanted an ACH transfer, which was odd enough it immediately rung warning bells everywhere. Some folks catch it, some don't.

Talk with your finance and HR folks, schedule training. They're going after W2's for fraudulent tax returns. Places where I do security, we routinely register or blacklist lookalike domains, set up mail servers to be resistant to spoofing/manipulation, multi stage filtering, etc. Nothing will trump good training for the users.

This is TOO EASY to prevent

[Anonymous Coward]

"Hey, it's (CEO), do me a favor and send me a zip of all the W2s. I need this right away"

This is why encryption and signing should mandatory best practices. If your boss ever does send unsigned requests of that nature, or accepts unencrypted replies containing sensitive data, then he should be held responsible. (This is 1990 level tech we're talking about here. After a quarter of a century, you are expected to know how to handle it.)

And then if the boss does things right but the underling does wrong (by accepting unauthenticated requests and replying without encrypting with the boss'public key) then you hold them responsible. Got phished? Get fired. But it only makes sense to have such a policy, when the employeee already knows that their bosses emails are signed.

C'mon, CEOs, it's the mid 1990s and finally time to learn how to use email in your organization. You are negligent if you aren't doing it, and the people you do business with are negligent if they aren't doing it.

Re:

[julien tayon]

Bosses would be safer if they expected themselves to follow the rules.
In the army you will not be demoted as a lowest rank soldier for asking any officers their credentials.

In a company most of the security teams/managers expect bypasses in chain of commands when rules goes from top to bottom.

This social engineering attack known since Mitnick is purely exploiting a simple corporate culture bug. And now it is showing consequences at higher levels.

Well, managers should be held responsible and liable for their

Re:

[RevDisk]

I don't disagree, but reality can be more complex than mere technical issues.

Encrypting the data with strong crypto is very good, but what happens if the password picked is trivial?
If a computer is hijacked with malware, it is possible to use a person's actual email utility and compromised passphrase.


Technology is always a good thing, but it is no substitute for competent, well trained employees.

Re:

[KGIII]

The biggest security hole (and also potentially greatest asset) is seated in the chair.

Re:

[chipschap]

"Linux usage on Steam continues to fall"
--Despite Valve's push, less than 1 percent of Steam gamers use Linux or SteamOS.

http://www.pcworld.com/article/3040719/linux/linux-usage-on-steam-continues-to-fall.html

I shall repeat this message several times in the coming days.

... because?

Re:

[KGIII]

Because it's a pissing match and, before you point and laugh at them, you might want to consider where they learned the behavior from. Tying one's identity to an operating system is stupid. It's akin to the way the US plays politics like a team sport.

Re:

[chipschap]

I guess, not being much of a gamer, I don't care much about gaming on Linux. I realize that many others do care, and their concerns are valid; I just don't share them.

Linux helps me get stuff done. I don't need Steam OS for that.

Re:

[KGIII]

Gamers have their identity tied to so many things, potentially.

"My console, OS, paddle, computer, brand RAM, authors, etc. are all better than your choices and I need affirmation from others who have made the same choices I have made and to sneer at those who chose not just poorly but wrong!"

Many, many vocal proponents of Linux are like that. They are zealots and, sadly, many probably have some serious mental issues because they're so closely tying themselves to an OS, code, or ideals. They come not just fr

Missed opportunity

[jmcwork]

If it was that easy to pass yourself off as the CEO, why not just say "I want to cash in some of my savings plan. Send it to account XXXXXXXXX. And while your at it, drop the price on all our drives by 65%!"

Policies and procedures will save your ass

[radarskiy]

This is why you have boring polices and procedures to make requests between departments, instead of just doing someone's boss a favor.

I'm glad I work in a company with a strong culture of telling management to fuck off with their out-of-channel requests.

For the non-americans:

[Sprite_tm]

A W2 tax from shows the amount of taxes withheld from your paycheck. It's used to file your taxes.
https://turbotax.intuit.com/ta... [intuit.com]

I presume the article refers to this data. Does anyone have any idea what the scammers can do with this?

Re:

[kinko]

A W2 tax from shows the amount of taxes withheld from your paycheck. It's used to file your taxes.
https://turbotax.intuit.com/ta... [intuit.com]

I presume the article refers to this data. Does anyone have any idea what the scammers can do with this?

presumably they can file and claim your tax refund when they have enough information to impersonate you? Especially if they file before you get around to doing it yourself...

Re:

[JazzLad]

One of many reasons to file by the first week of February (companies have until 1/31 to mail W2s & Mortgage paperwork, Wells Fargo always waits until the end to mail my mortgage papers or I'd be filed by mid Jan - maybe I can get this online, I haven't looked).