The social media giant Snapchat has fallen victim to a whaling attack. The company admitted as much in a blog post released yesterday.
With hat in hand, the company told the public that “it's with real remorse–and embarrassment–that one of our employees fell for a phishing scam and revealed some payroll information about our employees.”
On Friday 26th, a Snapchat employee was targeted by a scammer impersonating the Snapchat CEO, Evan Spiegel. The imposter named himself ‘Spiegel', and asked the unfortunate employee for payroll information, which was duly handed over. The information was released shortly after.
Snapchat reported the incident to the FBI and looked for which employees may have been affected. The company has apparently also offered those affected by the publication of the details two years of free identity-theft insurance.
The company was keen to point out that no user information was accessed and no internal systems were breached.
This kind of attack is also known as whaling, the act of phishing a specific member of a company under the guise of a colleague, often a superior or c-level executive. Commonly targeted are employees with the ‘keys to the kingdom', or access to resources within a company that might be desirable to a cyber-criminal. For example, an IT department, one of the most common targets, will hold master credentials. The finance department might be useful to access the cold hard cash that cyber-criminals so crave.
Wieland Alge, VP & GM EMEA at Barracuda Networks spoke to SCMagazineUK, explaining this new phenomenon: “While the Snapchat payroll team probably don't have a daily correspondence with Snapchat's CEO, they clearly know who and how important he is – hence why they fell for the scam.”
Alge added, “In this case, the hackers took advantage of one of the easiest channels for business phishing attacks - HR departments. HR and payroll are flooded with emails containing all types of attachments and they are encouraged and even obliged to open them.”
Such attacks often involve large amounts of research, with the cyber-criminals forensically examining the structure and procedures of the targeted company. Attackers will then go about obtaining an email address nearly identical to an executive within the company, say ‘editor@SCMaglazineUK.com'. Emails will be tailored to look at legitimate as possible and often contain an urgent tone, attempting to not give the targeted employee the time to be sceptical about what he or she is being asked to do.
Mimecast released a report late last year, predicting that whaling would become more and more common in 2016. In the last three months of 2015, the report noted, over half of the organisations surveyed mentioned that they had seen an increase in whaling attacks.
Luke Brown, VP and GM EMEA, India and Latam at Digital Guardian spoke to SC, saying that whaling is “often the simplest method of attack that becomes the most successful. By impersonating a high-profile figure in the company, attackers have bypassed any security measures Snapchat had in place, and gained access to sensitive payroll information of a number of employees.”
This is not the first time that Snapchat has encountered a cyber-attack. In early 2014, the social media company was hacked and the details of 4.6 million customers were leaked on a website called SnapchatDB.
Snapchat has pledged to update their security consciousness in the form of redoubling “our already rigorous training programmes”. Snapchat did not respond for comment in time for publication.