Taken in phishing attack, Microsoft’s unmentionables aired by hacktivists
If Microsoft and eBay aren't safe from social engineering attacks, who is?
Pro Syrian hacktivists have offered compelling proof that they successfully breached Microsoft's corporate network and made off with highly sensitive documents that company employees sent to law enforcement officials, according to a media report published Thursday.
Billing invoices and other documents show Microsoft charging the FBI hundreds of thousands of dollars a month to comply with legal requests for customer information, according to the article published by The Daily Dot. The publication said the stolen Microsoft material was provided by members of the Syrian Electronic Army (SEA), a hacking group that has compromised social media accounts and occasionally private networks of eBay and Viber, as well as media outlets including The Washington Post, the Associated Press, The Financial Times, the BBC, Al Jazeera, and Forbes. The group has proven itself to be extremely effective in waging highly targeted phishing attacks that extract login credentials. For an idea how intricate some SEA attacks can be, see thisdetailed post-mortem of a recent ransacking of Forbes.
Most of the SEA's successes result in little more than a public embarrassment for the compromised targets. But recent exploits against Microsoft and eBay, which Ars covered here andhere, were more serious because they exposed confidential operations or data that could be used to further penetrate the companies or compromise operational security.
The hackers behind the eBay attack, for instance, intercepted the real-time communications of eBay security personnel as they responded to a recent hack of the company's UK websites. That eavesdropping had the potential to foil eBay's attempts to remediate a breach in progress. The SEA's access of servers containing private communications between Microsoft's Global Criminal Compliance team and the FBI's Digital Intercept Technology Unit is similarly detrimental to the company's operational security. Taken together, the breaches are a sad commentary on the current state of security. If employees of two of the most visible technology companies in the world can't steer clear of social engineering attacks, what hope is there for less experienced Internet users?
The Daily Dot report also raises another good question about the means by which Microsoft employees communicated with FBI officials. The documents, Thursday's post reported, appear to have been sent using plain-vanilla e-mail, possibly with no encryption. If true, the practice represents a startling admission that sending encrypted e-mail is too onerous even for people at the world's biggest software companies.
Post updated to change the headline and add link to post-mortem of Forbes breach.
No comments:
Post a Comment