Northrop Grumman can make a stealth bomber – but falls for W-2 phishing attack



stealth-bomber.jpegUS military contractor Northrop Grumman notified their employees that hackers managed to gain access to their W-2 tax records. 

As The Register just reported, the makers of America’s stealth bomber acknowledged in a letter sent to employees and the California Attorney General’s office that hackers infiltrated its online portal at various times over the course of almost a year, gaining access to workers’ W-2 paperwork for the 2016 tax year.

"The personal information that may have been accessed includes your name, address, work email address, work phone number, Social Security number, employer identification number, and wage and tax information, as well as any personal phone number, personal email address, or answers to customized security questions that you may have entered on the W-2 online portal."

During tax season, internet criminals race to submit tax refund requests using the stolen W-2 data, tricking the IRS into issuing a fraudulent refund in the name of the victim whose tax data was stolen.

Hackers Used Stolen Credentials

Many larger organizations outsource W-2 management to third party firms, and Equifax Workforce Solutions which ran the tax portal on behalf of Northrop Grumman, says that it does not believe that hackers got into its systems by exploiting a vulnerability, but instead used a legitimate user’s stolen login details. 

Bad Guys Could Fly Under The Radar For More Than A Year

Meaning... the bad guys targeted a high-risk employee, sent them a spear phishing attack, obtained their credentials and could fly under the radar for more than a year. Epic Fail. 

In response to the attack, Northrop Grumman says it has disabled access to the W-2 portal, except from its own network. The company says it is also working with law enforcement agencies as they continue to investigate a spate of similar attacks targeting W-2 data.

Dozens of well-known organizations have fallen for CEO Fraud attacks targeting their staff’s W-2 data, Seagate being one of them, where employees sued their own company when their W-2 information was stolen.

You have got to have systems in place to protect employee personal data.  Don’t be that guy, and put protective measures such as multi-factor authentication in place to reduce the chances of an attacker compromising important online accounts. 

We also strongly recommend to phish your own users to prevent these types of very expensive snafus. If you're wondering how many people in your organization are susceptible to phishing, here is a free phishing security test (PST):

Get Your Free PST Now

 


Topics: Phishing



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews