The Weekly Breach Breakdown Podcast by ITRC - BYOB - S3E23

Show Transcript

BYOB

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for September 2, 2022. Each week, we look at the most recent events and trends related to data security and privacy. This week, we look at a particularly effective kind of attack against businesses that has emerged in the past month or two that is leading to supply chain attacks and a lot of data breach notices. 

Most organizations offer some form of “BYOD.” Not the Bring Your Own Booze that shows up on party invitations – but Bring Your Own Device. Since June, though, a new wave of attacks aimed at employees who use their own smartphones is leading to a new BYOB (and this week’s episode title) Bring Your Own Breach.

Stolen Credentials Are Leading to Supply Chain Attacks

Cybersecurity journalist Brian Krebs published an article this week that outlines how cybercriminals who specialize in phishing attacks are seeing success using text messages to steal credentials and one-time passcodes from employees at some of the world’s largest tech and customer support companies. The reason this is happening is the ability of identity thieves to contact employees directly through their mobile devices. The result has been a dramatic rise in data compromised in supply chain attacks.

How It Is Happening

Here’s how it has worked, according to Krebs and the security researchers who discovered the new exploit:

In mid-June 2022, phishing text messages targeting employees at firms that provide outsourced customer support to thousands of companies asked users to click a link and log in. It turns out the other end of that link was a phishing page that mimicked their employer’s Okta authentication page. The text messages urged employees to click on the link to see pending changes in their work schedule.

The CEO of one of the companies that was attacked, Cloudflare CEO Matthew Prince, posted a blog outlining what happened:

“This was a sophisticated attack targeting employees and systems in such a way that we believe most organizations would be likely to be breached. Over the course of less than 1 minute, at least 76 employees received text messages on their personal and work phones. Some messages were also sent to the employee's family members.”

How These Phishing Attacks Work

These attacks, at the end of the day, are relatively low-tech, easy to execute and increasingly difficult to spot. They leverage human behavior (our desire to be instantly responsive) along with new tools that make it difficult for the trained professional and almost impossible for the average person to spot as fake. In some cases, they are fake messages sent from real company accounts.

Its Time to Move Away from MFA Codes & Towards Authentication Apps

All this points to the need for businesses to continue to move away from text-delivered multi-factor authentication (MFA) codes and move to mobile authentication apps. The rest of us should be even more diligent when we get a text message from work that sends us to an unfamiliar website asking for our credentials. Stop and verify with your employer before you act. You can stop a breach and supply chain attacks before they happen.

Contact the ITRC

If you think you have been the victim of a data breach or other identity crime, visit our website www.idtheftcenter.org. You can also speak with an expert advisor on the phone (888.400.5530), chat live on the web, or exchange emails during our normal business hours (Monday-Friday, 6 a.m.-5 p.m. PST). 

Later this month, we will publish our Annual Consumer Impact Report that focuses on identity crime impacts on individuals. In October, we’ll publish our report on how small businesses are impacted by identity crimes and cyberattacks.

From the ITRC staff, please have a safe and relaxing Labor Day weekend. We will be back next week with another episode of the Weekly Breach Breakdown.