I write a monthly round-up of noteworthy cyber attacks and data breaches for the cybersecurity company Arctic Wolf. Here is a sample from late 2021.
One thing about the world of cybersecurity—it’s seldom dull. The variety and creativity of cyberthieves keeps the industry constantly worth watching. November’s roster of data breaches is an excellent illustration on that point: a mix of surprising methods, unusual motivations, and one old-fashioned data heist on one of the internet’s most tempting targets.
November’s Biggest Cyber Attacks
Robinhood Robbed in Customer Service Breach
The online stock-trading platform Robinhood built its reputation as an outlet where regular people could navigate the stock market without needing a lot of financial expertise, but users found themselves facing a different kind of risk last month. A November 3 data breach was facilitated when a bad actor posing as a customer service rep on a phone call was able to con their way into accessing the company’s customer support system.
Known as a vishing (phone or voice message) attack, this gave them access to a database of email addresses, names, and phone numbers for millions of Robinhood customers.
Robinhood issued a statement within a week of the breach and has continued to update users about potential data exposures. While the company does not believe the thieves were able to obtain banking information or social security numbers, they did demand a ransom. The risk remains high that the stolen materials may be used for future misdeeds such as targeted phishing attacks. TechCrunch notes that this attack bears imilarities to data theft perpetrated against Twitter last year, suggesting that vishing scams such as this one may be on the rise.
Records Exposed: Email addresses and personally identifiable information
Type of Attack: Vishing
Date of Attack: November 3, 2021
Location: Menlo Park, CA
Key takeaway: Not all cybercrime involves super high-tech methods. In this case, a scammer was able to launch the theft of a volumes of data simply by misrepresenting their credentials over the phone. Always remember that cybersecurity protection extends to physical security best practices and confirming credentials of those using more traditional communication forms like phone calls.
GoDaddy Suffers Another Big Breach
One of the problems with being top dog in your industry is that you’re also the biggest target. That’s a lesson GoDaddy—the leading domain registrar in the world— has learned several times over, most recently in a major data breach first identified on November 17. In the fifth major attack against GoDaddy in the past three years, hackers used a stolen password to access the emails and customer data for more than 1.2 million users, as well as file transfer credentials and SSL keys used for website authentication. Even more concerning, further exploration showed that GoDaddy’s Managed WordPress branch was also affected, endangering a number of customers using third-party website management tools.
GoDaddy was quick to address the breach, resetting passwords and private keys, and issuing new SSL certificates to affected customers. Meanwhile, more than a million website owners find themselves at greater risk of phishing attacks and other varieties of cybercrime. It’s a frustrating situation all around for the company who keeps dealing with these kinds of attacks and its customers who keep paying the consequences.
Records Exposed: Email addresses, ID numbers, sFTP and database usernames and passwords, SSL keys
Type of Attack: Data theft via stolen password
Industry: Communications and technology
Date of Attack: September 2021, identified November 17, 2021
Location: Tempe, AZ
Key Takeaway: Heavy is the head that wears the crown. Visible leaders in nearly any industry make a juicy target for cybercriminals, and often have wide-ranging and complicated online operations with more opportunity for security gaps across a broader attack surface. It is the responsibility of any company that handles this much sensitive data to make certain those gaps are closed.
The FBI Cybersecurity Team Proves Less Than Secure
The FBI would probably rank high on most people’s lists of the least likely organizations to suffer a public hack, but that’s exactly what happened on November 13.
In a rather bizarre attack, FBI email servers sent out a series of messages, supposedly launched by a leading security researcher, warning recipients of a pending attack. In reality, those emails appear to be the work of a hacker with a longstanding grudge who has made similar attempts in the past to damage the same researcher’s reputation.
This case is unsettling because of the apparent legitimacy of the emails. A known hacker using the handle Pompompurin claimed credit, saying they gained access to the email system via a gap in the FBI’s Law Enforcement Enterprise (LEEP) portal. Pompompurin also contacted a cybersecurity journalist to boast about the feat and note they could have done far more damage with the access they gained. The hacker is probably correct—malicious emails sent from a legitimate FBI account could easily fool people in high places into doing things much more harmful than an easily discredited smear of an obscure cybersecurity expert.
Records Exposed: FBI email servers
Type of Attack: Email hijack
Industry: Law enforcement and national security
Date of Attack: November 13, 2021
Location: Washington, D.C.
Key Takeaway: We’re probably all fortunate that this seems most likely a grey hat attack. While using government channels to slander your enemies is definitely not laudable behavior, the hacker is correct that they could potentially have created a far more dangerous situation. This hack is a reminder that even some of the most secure organizations in the world can be vulnerable without constant diligence.
Hackers Hide Out in the Fine Print
November spotlighted a more recent approach to cybercrime that’s as simple as it is ingenious. The scheme, known as One Font, involves threat actors embedding malicious code written in one-point font within CSS, emails, style sheets, and other messages sent via Microsoft 365 tools. Font that tiny often goes undetected by the filters Microsoft depends on to filter out phishing attacks, and is essentially unreadable to the human eye.
One Font is an advanced version of a similar business email compromise (BEC) attack called ZeroFont that was first identified in 2018. While it essentially works like any other phishing attack—end users receive innocuous looking emails disguised as ordinary messages from their IT departments, and the malicious code is activated when they click on links—the danger here lies in the evasion of their company’s security filters.
While it is unclear at this point how commonly it is employed or how many victims it may have struck, One Font serves as a reminder of how innovative and proactive criminals can be in their efforts to dodge security and get their hands on sensitive data.
Records Exposed: Unknown
Type of Attack: Phishing
Industry: Potentially all
Date of Attack: November, 2021
Key Takeaway: What won’t these criminals think of next? Using something as simple as shrinking a font size as an inroad to cybercrime seems almost silly, but it underlines the creativity and adaptability of online criminals. It also underscores the importance of a cybersecurity solution that scales and adapts as quickly as the hackers do.
The diversity of attacks this November demonstrates what a wild world cybersecurity can be. From phony phone calls to tiny fonts to personal grudges, the stories behind data theft constantly change. So, investing in security operations and solutions that can keep up with that hectic pace are a necessity for any business.