Slashdot Mirror

← Back to Stories (view on slashdot.org)

Seagate Hit By Targeted Phishing Attacks Seeking W2 Data (csoonline.com)

Posted by timothy on from the tax-system-downsides-part-43276543-subsection-(b) dept.

itwbennett writes: You can add Seagate to the growing list (now up to 7) of companies hit by malware seeking W2 data on employees. As reported on Slashdot, Snapchat disclosed the last weekend of February that someone had posed as the company's CEO and received payroll data on 700 employees. The other companies hit by similar phishing scams so far are Central Concrete Supply Co., Mercy Housing Inc., Magnolia Health Corporation, BrightView, and Polycom. Seagate learned of the incident on March 1, and the story was broken by Brian Krebs after a former employee received a notice and reached out to him.

26 comments

  1. Insurance by Anonymous Coward · · Score: 1

    Cyber insurance, for lack of a better word (shudder), is going to be big. It has to, given the number of attacks going on there is too much profit potential. As the products mature it will be interesting to see if the actuaries consider more fine-grained factors for pricing like:
    - Will the standard policy end up disclaiming phishing attacks altogether?
    - Will premiums vary significantly by the amount of equipment/software installed per vendor's security reputation? i.e. much higher premiums for Microsoft Windows installations and lower for Redhat-supported or BSD.
    - Given the OpenSSL nightmare, will the usage of individual packages on-site affect pricing?
    - How about higher premiums for companies that have a larger footprint in the cloud?

    Anyone know how existing policies handle these questions? Or at this point is it simply blanket coverage with lots of risk (profit) built in?

    1. Re:Insurance by Anonymous Coward · · Score: 0

      I would like to see actuarial tables for the this case.

      A person tricking an employee into giving out info is tough to account for

    2. Re:Insurance by Salgak1 · · Score: 1

      You mean tricking an EX-employee. I assume Seagate has procedures about sensitive financial documents and Personally Identifiable Information (PII), And that employees have regular security training. The idiot in question got engineered, but was stupid enough to send the data without even making a phone call. . . .

  2. Can concur by RevDisk · · Score: 5, Insightful

    Know of a couple companies getting hit by this very attack. Zero technical aspect, just straight social engineering. "Hey, it's (CEO), do me a favor and send me a zip of all the W2s. I need this right away" or similar. Usually with forged email headers, but sometimes with similar domain names. One used a capital i instead of an L, which was admittedly hard to spot for an average user. They wanted an ACH transfer, which was odd enough it immediately rung warning bells everywhere. Some folks catch it, some don't.

    Talk with your finance and HR folks, schedule training. They're going after W2's for fraudulent tax returns. Places where I do security, we routinely register or blacklist lookalike domains, set up mail servers to be resistant to spoofing/manipulation, multi stage filtering, etc. Nothing will trump good training for the users.

  3. This is TOO EASY to prevent by Anonymous Coward · · Score: 4, Insightful

    "Hey, it's (CEO), do me a favor and send me a zip of all the W2s. I need this right away"

    This is why encryption and signing should mandatory best practices. If your boss ever does send unsigned requests of that nature, or accepts unencrypted replies containing sensitive data, then he should be held responsible. (This is 1990 level tech we're talking about here. After a quarter of a century, you are expected to know how to handle it.)

    And then if the boss does things right but the underling does wrong (by accepting unauthenticated requests and replying without encrypting with the boss'public key) then you hold them responsible. Got phished? Get fired. But it only makes sense to have such a policy, when the employeee already knows that their bosses emails are signed.

    C'mon, CEOs, it's the mid 1990s and finally time to learn how to use email in your organization. You are negligent if you aren't doing it, and the people you do business with are negligent if they aren't doing it.

    1. Re:This is TOO EASY to prevent by jtayon · · Score: 1

      Bosses would be safer if they expected themselves to follow the rules.
      In the army you will not be demoted as a lowest rank soldier for asking any officers their credentials.

      In a company most of the security teams/managers expect bypasses in chain of commands when rules goes from top to bottom.

      This social engineering attack known since Mitnick is purely exploiting a simple corporate culture bug. And now it is showing consequences at higher levels.

      Well, managers should be held responsible and liable for their obvious failure in their own job. Modern corporate management culture are corrupting economy inappropriatly and may trigger a new economical crisis to come.

      Contracts even social one matter.

    2. Re:This is TOO EASY to prevent by RevDisk · · Score: 1

      I don't disagree, but reality can be more complex than mere technical issues.

      Encrypting the data with strong crypto is very good, but what happens if the password picked is trivial?
      If a computer is hijacked with malware, it is possible to use a person's actual email utility and compromised passphrase.


      Technology is always a good thing, but it is no substitute for competent, well trained employees.

    3. Re:This is TOO EASY to prevent by Anonymous Coward · · Score: 0

      Quite to the contrary, we just STEP promoted a security forces airman who stood his ground when a bull colonel screamed at him. Said colonel was promptly retired in spite of probably having a fair chance a star.

    4. Re:This is TOO EASY to prevent by Anonymous Coward · · Score: 0

      The GP is suggesting a basic best practice (which a lot of businesses still aren't doing). You are (of course!!) invited to improve it (e.g. by telling people to use good passphrases, telling them to not give their key to malware, etc.).

      But having the capacity to be reasonably secure (whether or not this is actually accomplished) is far better than not having the capacity to ever possibly be secure (which is what you get if you abstain from signing and encrypting).

    5. Re:This is TOO EASY to prevent by KGIII · · Score: 1

      The biggest security hole (and also potentially greatest asset) is seated in the chair.

      --
      "So long and thanks for all the fish."
  4. Missed opportunity by jmcwork · · Score: 1

    If it was that easy to pass yourself off as the CEO, why not just say "I want to cash in some of my savings plan. Send it to account XXXXXXXXX. And while your at it, drop the price on all our drives by 65%!"

  5. Re:BREAKING NEWS!! by chipschap · · Score: 1

    "Linux usage on Steam continues to fall"
    --Despite Valve's push, less than 1 percent of Steam gamers use Linux or SteamOS.

    http://www.pcworld.com/article/3040719/linux/linux-usage-on-steam-continues-to-fall.html

    I shall repeat this message several times in the coming days.

    ... because?

  6. Policies and procedures will save your ass by radarskiy · · Score: 1

    This is why you have boring polices and procedures to make requests between departments, instead of just doing someone's boss a favor.

    I'm glad I work in a company with a strong culture of telling management to fuck off with their out-of-channel requests.

  7. As a Seagate Employee.. by Anonymous Coward · · Score: 0

    The internal notice sent out indicated that it was the entire US workforce affected. Not 700 employees.

  8. BSD fanboys HATE him! by Anonymous Coward · · Score: 0

    Learn this one weird trick to protect your four essential freedoms

  9. Re:BREAKING NEWS!! by KGIII · · Score: 1

    Because it's a pissing match and, before you point and laugh at them, you might want to consider where they learned the behavior from. Tying one's identity to an operating system is stupid. It's akin to the way the US plays politics like a team sport.

    --
    "So long and thanks for all the fish."
  10. For the non-americans: by Anonymous Coward · · Score: 0

    A W2 tax from shows the amount of taxes witheld from your paycheck. It's used to file your taxes.
    https://turbotax.intuit.com/tax-tools/tax-tips/IRS-Tax-Forms/What-is-a-W-2-Form-/INF14812.html

    I presume the article refers to this data. Does anyone have any idea what the scammers can do with this?

    1. Re:For the non-americans: by kinko · · Score: 1

      A W2 tax from shows the amount of taxes withheld from your paycheck. It's used to file your taxes.
      https://turbotax.intuit.com/ta...

      I presume the article refers to this data. Does anyone have any idea what the scammers can do with this?

      presumably they can file and claim your tax refund when they have enough information to impersonate you? Especially if they file before you get around to doing it yourself...

    2. Re:For the non-americans: by Anonymous Coward · · Score: 0

      Thankyou. I read the title, then the summary, then even had to stoop to reading the article itself, and was still bewildered at the end of it all. Googling was considered but not deemed worth the effort.

    3. Re:For the non-americans: by JazzLad · · Score: 1

      One of many reasons to file by the first week of February (companies have until 1/31 to mail W2s & Mortgage paperwork, Wells Fargo always waits until the end to mail my mortgage papers or I'd be filed by mid Jan - maybe I can get this online, I haven't looked).

      --
      "If you have nothing to hide, you have nothing to fear." - Every fascist, ever
  11. For the non-americans: by Sprite_tm · · Score: 1

    A W2 tax from shows the amount of taxes withheld from your paycheck. It's used to file your taxes.
    https://turbotax.intuit.com/ta...

    I presume the article refers to this data. Does anyone have any idea what the scammers can do with this?

  12. Re:BREAKING NEWS!! by chipschap · · Score: 1

    I guess, not being much of a gamer, I don't care much about gaming on Linux. I realize that many others do care, and their concerns are valid; I just don't share them.

    Linux helps me get stuff done. I don't need Steam OS for that.

  13. Re:BREAKING NEWS!! by KGIII · · Score: 1

    Gamers have their identity tied to so many things, potentially.

    "My console, OS, paddle, computer, brand RAM, authors, etc. are all better than your choices and I need affirmation from others who have made the same choices I have made and to sneer at those who chose not just poorly but wrong!"

    Many, many vocal proponents of Linux are like that. They are zealots and, sadly, many probably have some serious mental issues because they're so closely tying themselves to an OS, code, or ideals. They come not just from the Linux bench, they come from all sides - especially the Apple folks.

    Funny enough, once upon a time an Apple user was expected to be quite computer literate. That's a subject for another day.

    Like you, I use Linux because it works for me. I don't care what others chose. I don't need anyone to tell me that I made a good choice - but I did accept (and still do accept) suggestions. I like simplicity, functionality, and ease. I went with Lubuntu as my last choice for my distro. 16.04 is coming right up. They're changing to LXQt and I may not like it. So, I may pick something else. I may just roll my own.

    So yeah, I definitely agree. Linux helps me get stuff done. I don't have to tweak it to get it to stay out of my way. I can tweak it if I want to. I'm not even a FOSS zealot or activist. I just use what works for me, in a manner that I understand, and with the risks/rewards justifications done to my satisfaction. I've never been really able to figure out who started the idea that Linux was going to be king of the desktop nor have I figured out why anyone would want to hold that title.

    --
    "So long and thanks for all the fish."