This is yet another resounding wakeup call to internet users: phishing is real, and everyone has to be fastidious about cybersecurity
Popular social news and discussion platform, Reddit recently revealed they had been victimized by a phishing attack and had had their systems breached.
The hackers had gained access to its internal dashboards and business systems, but no user passwords or accounts were accessed, according to the firm.
According to Jamie Boote, Associate Principal Consultant, Synopsys Software Integrity Group, the good news is that the breach appeared to be limited to office systems and did not breach the production systems that host the website itself, user data, or other information that could be used to compromise reddit users. This is likely because the firm limits access to the production data by non-IT employees.
“In today’s networking environments, software and hardware is no longer the least secure component of the system: people are. When designing IT systems, applications, and devices, it should be assumed that a user will fall for a phishing scam, download the wrong application, or otherwise fail to act in a perfectly secure way. By taking this into account, defense in depth can limit the impact of a breach,” Boote said.
In the past, to recognize a phishing attack in the past, it was possible to look for many signs, such as sloppy grammar texts, lack of referral by name but general “Hello user” and so on. Today, however, scammers are getting a lot better, taking the trouble to copying graphical elements from official websites and even using ChatGPT to polish their approach.
However, the most worrying improvement is that the links that lead victims to malicious servers and attachments are now clouded by layers of different servers to avoid casual identification. Senior Security Engineer, Boris Cipot, Synopsys, noted that many people have lost their life savings due to phishing. “For companies, the advice is to rethink their security posture on the communication side. Are you checking emails, the links and attachments in those? Are you educating your employees on the tricks? It is important to make sure the protection against phishing and other scamming techniques are in place. Do not forget social engineering too, as it often is a part of the main attack vector. As for 2FA, many say that SMS is not meant to be used for security. This is true, and many services already depend on authenticator apps from Google or Microsoft or even have their own to provide the necessary additional security. However, a SMS verification is still better than a pure username and password combination.”