In October, multiple Dropboxers received phishing emails impersonating CircleCI with the intent of targeting GitHub accounts, Dropbox reported. GitHub credentials can be used to log in to CircleCI. The company also uses CircleCI for select internal deployments. The same situation occurred with Dropbox, which uses GitHub to post its public and some of its private repositories. In September, the company’s security team learned that threat actors impersonating CircleCI - a popular continuous integration and code product - had targeted GitHub users via phishing to harvest user credentials and two-factor authentication. Millions of developers store and manage source code in GitHub. Secondly, companies need to be able to “identify and block attacker infrastructure and accounts that impersonate them or a trusted third party before these can be leveraged against their people,” said Polak. To reduce risk, organizations should, first, have the capability to monitor and reduce their company and employee OSINT framework exposure, as attackers need this data to craft their attacks, he said. Matt Polak, CEO and founder of the cybersecurity firm, Picnic Corporation, agreed that this sophisticated social engineering attack proves that even the most well-trained employees can be compromised. “This eliminates the myth that only non-tech users fall for phishing attacks.” “This is an interesting evolution of phishing, as it is oriented towards more technical users,” said Bhargav. The attack phished developers and stole their GitHub credentials.Īttackers compromised a developer’s access and used that to steal their API token that could be used to access some metadata around Dropbox’s employees, customers and vendors. Attackers set up phishing sites “masquerading” as CircleCI. This particular campaign targeted Dropbox developers and/or devops team members, he explained. “Attackers today seem to be moving towards compromising ‘ecosystems.’ They want to be able to compromise apps that have massive user bases (like Dropbox) and the way they are doing that is by attempting to compromise the people in power: The developers,” said Abhay Bhargav, CEO and founder of AppSecEngineer, a security training platform. Security leaders weighing in on the news emphasized the importance of continued training and awareness amidst increasingly savvier attacks and scaled-up techniques. “Threat actors have moved beyond simply harvesting usernames and passwords, to harvesting multifactor authentication codes as well.” The best trained employees still fall prey “In today’s evolving threat landscape, people are inundated with messages and notifications, making phishing lures hard to detect,” Dropbox wrote. In fact, a new report from Netskope out today reveals that, while users are warier when it comes to spotting phishing attempts in emails and text messages, they are increasingly falling prey to phishing via websites, blogs and third-party cloud apps. The announcement indicates that, despite awareness and training, phishing remains a significant (and successful) method for cyberattackers. However, the company said, “We’re sorry we fell short.” Sophisticated phishing “We believe the risk to customers is minimal,” Dropbox said. The company also reported that its core apps and infrastructure were unaffected, as their access is even more limited and strictly controlled.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |