Slashdot Mirror

← Back to Stories (view on slashdot.org)

Seagate Hit By Targeted Phishing Attacks Seeking W2 Data (csoonline.com)

Posted by timothy on from the tax-system-downsides-part-43276543-subsection-(b) dept.

itwbennett writes: You can add Seagate to the growing list (now up to 7) of companies hit by malware seeking W2 data on employees. As reported on Slashdot, Snapchat disclosed the last weekend of February that someone had posed as the company's CEO and received payroll data on 700 employees. The other companies hit by similar phishing scams so far are Central Concrete Supply Co., Mercy Housing Inc., Magnolia Health Corporation, BrightView, and Polycom. Seagate learned of the incident on March 1, and the story was broken by Brian Krebs after a former employee received a notice and reached out to him.

2 of 26 comments (clear)

  1. Can concur by RevDisk · · Score: 5, Insightful

    Know of a couple companies getting hit by this very attack. Zero technical aspect, just straight social engineering. "Hey, it's (CEO), do me a favor and send me a zip of all the W2s. I need this right away" or similar. Usually with forged email headers, but sometimes with similar domain names. One used a capital i instead of an L, which was admittedly hard to spot for an average user. They wanted an ACH transfer, which was odd enough it immediately rung warning bells everywhere. Some folks catch it, some don't.

    Talk with your finance and HR folks, schedule training. They're going after W2's for fraudulent tax returns. Places where I do security, we routinely register or blacklist lookalike domains, set up mail servers to be resistant to spoofing/manipulation, multi stage filtering, etc. Nothing will trump good training for the users.

  2. This is TOO EASY to prevent by Anonymous Coward · · Score: 4, Insightful

    "Hey, it's (CEO), do me a favor and send me a zip of all the W2s. I need this right away"

    This is why encryption and signing should mandatory best practices. If your boss ever does send unsigned requests of that nature, or accepts unencrypted replies containing sensitive data, then he should be held responsible. (This is 1990 level tech we're talking about here. After a quarter of a century, you are expected to know how to handle it.)

    And then if the boss does things right but the underling does wrong (by accepting unauthenticated requests and replying without encrypting with the boss'public key) then you hold them responsible. Got phished? Get fired. But it only makes sense to have such a policy, when the employeee already knows that their bosses emails are signed.

    C'mon, CEOs, it's the mid 1990s and finally time to learn how to use email in your organization. You are negligent if you aren't doing it, and the people you do business with are negligent if they aren't doing it.