Reddit is the Latest Victim of a Spear Phishing Attack Resulting in a Data Breach

Reddit Spear Phishing Attack

There is a lot to learn from Reddit's recent data breach, which was the result of an employee falling for a “sophisticated and highly-targeted” spear phishing attack.

I spend a lot of time talking about phishing attacks and the specifics that closely surround that pivotal action taken by the user once they are duped into believing the phishing email was legitimate.

However, there are additional details about the attack we can analyze to see what kind of access the attacker was able to garner from this attack. But first, here are the basics:

According to Reddit, an attacker set up a website that impersonated the company’s intranet gateway, then sent targeted phishing emails to Reddit employees. The site was designed to steal credentials and two-factor authentication tokens.

There are only a few details from the breach, but the notification does mention that the threat actor was able to access “some internal docs, code, as well as some internal dashboards and business systems.”

Since the notice does imply that only a single employee fell victim, we have to make a few assumptions about this attack:

  • The attacker had some knowledge of Reddit’s internal workings – The fact that the attacker can spoof an intranet gateway shows they had some familiarity with the gateway’s look and feel, and its use by Reddit employees.
  • The targeting of victims was limited to users with specific desired access – Given the knowledge about the intranet, it’s reasonable to believe that the attacker(s) targeted users with specific roles within Reddit. From the use of the term “code,” I’m going to assume the target was developers or someone on the product side of Reddit.
  • The attacker may have been an Initial Access Broker – Despite the access gained that Reddit is making out to be not a big deal, they do also mention that no production systems were accessed. This makes me believe that this attack may have been focused on gaining a foothold within Reddit versus penetrating more sensitive systems and data. 

There are also a few takeaways from this attack that you can learn from:

  1. 2FA is an important security measure – Despite the fact that the threat actor collected and (I’m guessing) passed the credentials and 2FA details onto the legitimate Intranet gateway—a classic man-in-the middle attack—it’s far better to have MFA in place than to have no additional authentication factors in place.
  2. Employees play a major role in organizational cybersecurity – Reddit mentions that “soon after being phished, the affected employee self-reported, and the security team responded quickly, removing the infiltrator’s access and commencing an internal investigation.”

    Users that are aware of how important they are in keeping the organization secure – something taught through continual security awareness training – can truly make the difference. With so many attacks involving threat actors lying undetected for literally months, it’s refreshing to hear about an attack where the threat actor was cut off quickly by the swift thinking of a user who knew exactly what to do once they realized they had been tricked.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews