> Exposure included limited contact information for (currently hundreds of) company contacts and employees (current and former), as well as limited advertiser information. Based on several days of initial investigation by security, engineering, and data science (and friends!), we have no evidence to suggest that any of your non-public data has been accessed, or that Reddit’s information has been published or distributed online.
>After successfully obtaining a single employee’s credentials, the attacker gained access to some internal docs, code, as well as some internal dashboards and business systems.
Together with the contact info that could be basis for the next attack.
Right? This is completely eliminated by using U2F tokens.
If you aren't using hardware auth to authenticate to corporate internal resources, your IT department is negligent or incompetent or both.
I literally have advanced protection turned on for a small four person single location retail operation I am involved with, simply for the PII of a few hundred people that they have to handle. The little USB/NFC fobs are $15.
My point being is that by not having hardware based MFA, but still have a form of soft token MFA doesn't make the IT personnel completely incompetent or negligent.
Not requiring MFA at all and having weak passwords would be an example of that.
Because they don't pay a competent person to do their security or because the person they paid isn't able/willing to make decisions.
Phishing is not obviously sophisticated but an argument could be made. The problem with letting that kind of language slide is that it skirts responsibility. Society has a huge accountability problem currently and there isn't really an end in sight. There's no need to continue allowing corporations to use such language and continuing the problem.
If a solution to phishing is available and not used, the easy mode hack is attributed to the security of the people so responsible. They took a risk and that went bad. Fire them(the people ACTUALLY RESPONSIBLE) and move forward with a better model of security.
The person actually responsible is the person(s) who made the final call on using security susceptible to phishing attacks where a better option exists.
Yes, it is sophisticated. Phishing emails are opened more often then regular mail (assuming it’s in your inbox) and click-rate is pretty high.
You might be good at cracking phishing simulation at your workplace, but many people won’t know if “amazon.example.com” or “example.amazon.com” is real. This is of course something good filter will pick up, but consider how hard it is to make sure 0 employees fall to the attack.
Also, even 2FA can get compromised with notification spam, that’s how it played out in one of the attacks couple of years ago.
>Yes, it is sophisticated. Phishing emails are opened more often then regular mail and click-rate is pretty high.
You're confusing "sophisticated" with "efficient". Phishing is efficient but unsophisticated; it boils down to one of the oldest tricks ever, to make you believe that $foo is $bar.
Phishing _can_ be more or less "sophisticated" (obviously some of this is a semantic argument) attack, it depends on the details.
For example, if you select a target and collect information in order to tailor the attack, or you use inside information to prey on a flaw (such as security fatigue), that's at least more sophisticated than a typical phishing email.
Not that I disagree with your take about the PR angle.
They somehow replicated the intranet site so I'd call that somewhat sophisticated. That kind of feels like they had insider knowledge.
> As in most phishing campaigns, the attacker sent out plausible-sounding prompts pointing employees to a website that cloned the behavior of our intranet gateway, in an attempt to steal credentials and second-factor tokens.
>No, Reddit. Phising is not a sophisticated attack.
You're right, it isn't. It's just Reddit admins lying through their teeth, it's their usual. Almost like they take most of the current Reddit userbase as braindead. (Spoilers: they might be right.)
In this specific case they're lying to not make it so obvious that they're pretty much incompetent to manage their site.
Nobody gets phished with a plain text email/site that says “give me your system access”.
Creating a replication of their intranet gateway requires recon to know what gateway they use, (if they use a custom api) recreate that api, and finding who to actually send the fake page to.
I’d call this spear fishing. That’s sophistication. Recon and tailoring to the target is sophisticated. It may not be super complicated, but it shows sophistication.
Sophistication is a spectrum between ”hey mister, and I have your credentials?” and nationstate APT’s.
> "After setup, you may be asked to log out and log back in to your account. Moving forward, you’ll need to enter a 6-digit code from your authenticator app every time you log in to Reddit."
There's 2FA and 2FA. TOTP like Google Authenticator giving these six digits are easy to phish.
I much prefer FIDO(2) devices and the webauthn protocol (Chrome doesn't even allow U2F anymore but webauthn is backward compatible with old security keys), especially when the device uses a different method for registering a service the first time and for then authenticating to that service (for example by using a different PIN for registering and for authenticating or by displaying on the device itself if you're registering or authenticating).
More places really really need to use [essentially] unphishable 2fa (security keys) and make that the sole method of 2fa except maybe in a break-glass case. but even them, you can have multiple security keys including backup ones
I got a message this morning that I was accepted into a sub that I never heard about, as if I had applied (but I didn't). It seemed to be a notification, not a message. I don't see it now. I'm guessing it's related to the hack, but it's not obvious what the scam or purpose was.
39 comments
[ 2.9 ms ] story [ 47.5 ms ] threadnothing important
Reassuring if true.
Together with the contact info that could be basis for the next attack.
Working in the cyber industry, it's so frustrating to see companies claim that they were done over by "sophisticated attacks" like phising!
I understand it from the PR points angle, but I always cringe. I hope others see through it too.
I guess we'll wait to see what they actually stole when they post the ransom.
If you aren't using hardware auth to authenticate to corporate internal resources, your IT department is negligent or incompetent or both.
I literally have advanced protection turned on for a small four person single location retail operation I am involved with, simply for the PII of a few hundred people that they have to handle. The little USB/NFC fobs are $15.
There is no excuse other than incompetence.
But not using hardware based 2FA doesn't make the IT department, completely negligent or incompetent.
Most companies I know if they are using MFA are using Microsoft Authenticator soft tokens through their enterprise 365 environments.
Not requiring MFA at all and having weak passwords would be an example of that.
Phishing is not obviously sophisticated but an argument could be made. The problem with letting that kind of language slide is that it skirts responsibility. Society has a huge accountability problem currently and there isn't really an end in sight. There's no need to continue allowing corporations to use such language and continuing the problem.
If a solution to phishing is available and not used, the easy mode hack is attributed to the security of the people so responsible. They took a risk and that went bad. Fire them(the people ACTUALLY RESPONSIBLE) and move forward with a better model of security.
The person actually responsible is the person(s) who made the final call on using security susceptible to phishing attacks where a better option exists.
At the moment, it's the easiest way into a network. So everyone is doing it.
You might be good at cracking phishing simulation at your workplace, but many people won’t know if “amazon.example.com” or “example.amazon.com” is real. This is of course something good filter will pick up, but consider how hard it is to make sure 0 employees fall to the attack.
Also, even 2FA can get compromised with notification spam, that’s how it played out in one of the attacks couple of years ago.
Just because phishing is common, doesn't make it sophisticated.
You're confusing "sophisticated" with "efficient". Phishing is efficient but unsophisticated; it boils down to one of the oldest tricks ever, to make you believe that $foo is $bar.
For example, if you select a target and collect information in order to tailor the attack, or you use inside information to prey on a flaw (such as security fatigue), that's at least more sophisticated than a typical phishing email.
Not that I disagree with your take about the PR angle.
> As in most phishing campaigns, the attacker sent out plausible-sounding prompts pointing employees to a website that cloned the behavior of our intranet gateway, in an attempt to steal credentials and second-factor tokens.
You're right, it isn't. It's just Reddit admins lying through their teeth, it's their usual. Almost like they take most of the current Reddit userbase as braindead. (Spoilers: they might be right.)
In this specific case they're lying to not make it so obvious that they're pretty much incompetent to manage their site.
Creating a replication of their intranet gateway requires recon to know what gateway they use, (if they use a custom api) recreate that api, and finding who to actually send the fake page to.
I’d call this spear fishing. That’s sophistication. Recon and tailoring to the target is sophisticated. It may not be super complicated, but it shows sophistication.
Sophistication is a spectrum between ”hey mister, and I have your credentials?” and nationstate APT’s.
> in an attempt to steal credentials and second-factor tokens. > > After successfully obtaining a single employee’s credentials
So was the attempt to steal second-factor successful or was it the account of an employee without 2FA that was compromised?
Because then...
On the page as to how to set up 2FA linked from TFA:
https://reddithelp.com/hc/en-us/articles/360043470031-What-i...
> "After setup, you may be asked to log out and log back in to your account. Moving forward, you’ll need to enter a 6-digit code from your authenticator app every time you log in to Reddit."
There's 2FA and 2FA. TOTP like Google Authenticator giving these six digits are easy to phish.
I much prefer FIDO(2) devices and the webauthn protocol (Chrome doesn't even allow U2F anymore but webauthn is backward compatible with old security keys), especially when the device uses a different method for registering a service the first time and for then authenticating to that service (for example by using a different PIN for registering and for authenticating or by displaying on the device itself if you're registering or authenticating).