CASE STUDY: A Recent High‑Profile Targeted Phishing Incident

This is part two of a three-part series on the anatomy of a phishing attack. Our partners at Cisco have outlined a case-study below on a recent high‑profile targeted phishing incident.

WHAT HAPPENED?

In 2020, hackers targeted a popular company through social engineering and organized phishing attacks. Within 24 hours, the hackers gained access to the corporate network, compromised credentials that had access to critical internal systems, and took over high-value user accounts on the platform.

HOW DID IT HAPPEN?

STEP 1

Social Engineering

Hackers executed a social engineering attack by calling several employees claiming to be from the organization’s IT help desk. Like many organizations enabling their employees to work from home, the company depends
on a virtual private network (VPN) for remote access. And since switching to remote work, VPN issues were common at the company. The hackers used this pretext to trick victims into logging into a phishing website by pretending they were responding to a reported VPN problem.

STEP 2

Targeted Phishing

When some employees acknowledged the problem, they were directed to a credential phishing website that looked identical to the legitimate corporate website. The hackers had taken efforts to host the fake login page
on a similarly named domain. As the employees entered their credentials into the phishing website, the hackers gained access to those credentials and simultaneously entered the information into the legitimate VPN login page. The hacker’s login generated an MFA request and some of the employees authenticated themselves assuming that the request was generated from their login (to the fake website). This allowed the hackers entry into the corporate network.

STEP 3

Lateral Movement

The initial account that was compromised did not have access to the critical internal tools that
the hackers wanted to infiltrate. But once inside the network, the hackers could navigate to various information systems and learn more about the internal processes.
They were able to view internal websites that contained information about accessing critical internal applications and systems which the employees had access to. Armed with this information, the hackers then targeted employees who had the access they wanted by using the same social engineering and phishing tactics. The hackers succeeded in compromising the employee credentials to gain access to critical internal systems — and ultimately took over high-value user accounts on the platform.

Has your business been targeted by a recent phishing attack? Do you need help with systems that have been compromised? Contact us to see how we can partner together.