Phishing False Alarm
A very security-conscious company was hit with a (presumed) massive state-actor phishing attack with gift cards, and everyone rallied to combat it—until it turned out it was company management sending the gift cards.
Comments
Clive Robinson • January 15, 2025 2:35 PM
@ Bruce, ALL,
It begs the question,
“For every false alarm, how many that are not?”
As I oft note,
“Having all computers properly segregated from all external communications mitigates many issues.”
Whilst mostly not interfering with employee work or workflow.
In fact people have found that over all “productivity” increases.
I was surprised by one “environment” where although apparent productivity went down in one department, actual overall productivity of the product went up (the reason I’ve mentioned before).
Andy • January 15, 2025 3:59 PM
It’s a made-up story. No head of HR would spend time to bypass internal controls and make something look genuine if it could have just been a simple line in the payroll
Carl Fink • January 15, 2025 7:28 PM
I read that story, but it never occurred to me to think it really happened as described. NAR doesn’t vet stories.
Bernie • January 16, 2025 10:18 AM
@ Clive, other Old-Timers,
Do you ever miss the days when all you had to do to make (new) users happy was put the Internet onto a floppy so they could always have it with them? It is often amazing what people think they need vs what the actually need.
David • January 16, 2025 12:55 PM
I find at least the core of the story believable, from person experience.
I work at a security-conscious company, and our security team does do fake phishing emails semi-regularly. And we’ve also had company executives sent out “employee survey” emails with links to an external server, and the sender not being obviously itnernal. I know I’ve reported such as potential phishing, and have known others to do so. And I’ve seen follow-up emails from an internal higher up with, “no, that one was real, yes, you can click on it”.
So, the broad strokes of the event seem entirely real. Whether the details (a gift card link) are real — different question.
Thomas P. • January 16, 2025 5:29 PM
@Andy
You underestimate how “pat my own shoulder” type of people in companies are.
I totally believe the story.
Aaaand I’m off for my sleep. Tomorrow is an important pizza party for my department because we hit a sales record. Sorry, no raise of gift cards for us, but I will play defiant sarcastic jazz as we open the cardboard boxes with limp pizza slices.
Cheerio!
A Nonny Bunny • January 17, 2025 3:05 PM
Really odd how the conclusion of the story is simply that the head of HR was a moron for sending out surprise gift cards. Even though the security team wasted 5 hours of their time without first asking HR if perhaps it “came from inside the house”.
Hacking a gift card company so you can pull off an attack with this method sounds interesting, though. You can set it up so just the giftcard link sent to your target will trigger something.
Clive Robinson • January 17, 2025 4:49 PM
@ Bruce, ALL,
Speaking of potential “False Alarms” one about hardware from China with Russian comments in “hidden” software upon it.
https://lcamtuf.substack.com/p/investigating-an-evil-rj45-dongle
Obviously a “Five Alarm” to push out into the media to get the chattering classes twittering or what ever it’s called.
Even if only partly true it is funny how the old adage of “if it bleeds it leads” has crossed over into the Information Age.
Clive Robinson • January 19, 2025 10:01 PM
@ Bernie,
Re missing old times…
I certainly miss the times of getting a whole software project on a floppy.
And most importantly the bulk of the source in your brain.
Neither applies today and it’s a problem for other peoples Privacy and Security.
One of the reasons the madness of the likes of “Code Reuse” and “User Feature” bloat was for a while kept constrained was,
“Boss, It has to fit on a floppy”
(And the earlier “It has to get in 512K of RAM).
Constraint ment thinking about what was and was not “really necessary” in terms of “User Features” and the “including the kitchen sink” mentality on the API for “code reuse”. So both the code complexity and attack surface were in turn constrained at the time, something that is sadly nolonger true which in part explains why there are so many vulnerabilities to be found.
Reducing code “complexity and attack surface” are good things to do if you have the users Privacy and Security” in mind. But developers have the mantras of “more features” and “Ultimate code reuse” pushed on them as others see them as “essential” to get “code to market”.
We can already see Microsoft and Win 11 is running into all sorts of difficulties and embarrassingly so as Win 10 cut off approaches…
Further users are increasingly unhappy about “forced upgrades” to not just software but underlying hardware they neither want, nor more importantly want to have to spend money –many do not have– on.
joe • February 15, 2025 8:36 AM
Crux of the matter is continually receiving mixed messages externally from genuine but rather stupid corporate actors.
I am fingering the likes of for example, banks insurer’s and telco’s and more. At best, it’s the proverbial RHS and LHS being incommunicado! Too common. At worst it could seem they are covering their sweet behinds. Here in Australia banks are not held accountable for the facilitation and forwarding of funds where the transaction arises from phishing emails or arising from any other fraud for that matter.
Subscribe to comments on this entry
Leave a comment
Sidebar photo of Bruce Schneier by Joe MacInnis.
Who? • January 15, 2025 12:04 PM
What company was that?!? “[…] but the going theory was that a state actor was nearly certainly the source.” They are really paranoid. A good movement in our times, I guess.
Even Siemens AG has been targeted by state actors (NSA in this case). It was just a matter of industrial espionage, possibly looking for the source code of Siemens SCADA systems to research vulnerabilities to exploit on an existing installation.