Further details on Wipro phishing attack revealed

News by Doug Olenick

Gift card fraud appears to be motivation for attack on consultancy

The motivation behind phishing attack that struck the Indian IT consultancy firm Wipro in April may surprisingly be gift card fraud, according to a new Flashpoint report.

Flashpoint researchers Jason Reaves, Joshua Platt and Allison Nixon said the far-ranging attack that hit dozens of Wipro employees gave the malicious actors access to more than 100 of the company’s computers. In the end, the aim was to obtain the usernames and passwords of encrypted email accounts in order to obtain access to portals managing the account-holders’ gift card and rewards programs, the blog said.

What was done with the stolen credentials is unknown.

"We cannot confirm how the credentials were used, only that Wipro has appeared as a target in campaigns," Reaves and Platt told SC Media.

At this time it is still not known if any Wipro clients were themselves victimised, but cybersecurity execs believe they should be prepared.

"Every Wipro customer should be hyper-aware of the potential of such attacks coming from this previously trusted domain. Employees should be on red alert for any email from this domain until such time as Wipro demonstrates that its email system is rearchitected," said Mark Bower, chief revenue officer and North American general manager at Egress Software Technologies, at the time of the initial attack.

The researchers also uncovered enough evidence to indicate that those behind this scam had been conducting attacks since at least 2017 and possibly as early as 2015. This conclusion was reached by the threat group’s re-use of content and infrastructure from other attacks. In addition, the gang tapped into a few legitimate sources; for example, the phishing templates used against Wipro were taken from a security awareness training company, which used them to instruct workers on how to avoid phishing scams. Additionally, certain observed malware also links back to earlier attacks.

"Imminent Monitor is associated with previous campaigns conducted in 2017. These campaigns were not necessarily associated with the Wipro incident but associated with the actors that allegedly breached the organisation," Reaves and Platt said.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop