Who’s Phishing? When Insiders become Threats!

RockmusicRaider - Who's Phishing? When insiders become threats!

In God we Trust, everyone else uses the firewall.

That’s the credo handed down from the RMR IT department. It’s a sane reminder that the internet is an ugly place. Full of bad actors out to get your data or your money for any and all nefarious activities out there.

Supposedly.

Because not everyone is a bad apple, of course. And it’s always quite a task to filter genuine visitors from intruders, as you don’t want to hinder the former, but block the latter. Thus, sporting some great site security, complete with a sturdy firewall, is indeed one important pillar of any webmaster’s SEO strategy.

So, now your first defenses work.

The firewall’s up, bots controlled, hackers kept at bay. But now you have to deal with the scammers of this world. Those that try to gain entry by tricking you into hitting a link. Or to get you to divulge IDs and passwords through some sorcery of sorts. Phishing1) specifically has morphed into one of the most used tools to illegally gain access to sites and data.

But – of course – you’re savvy, and none of these (not so) subtle shenanigans can really sway you. So far, so good, right?

But, what if the phishing attack seemingly comes from within?

If you’re running WordPress, you will most probably use plugins and other specialized services that help you to gain functionality, increase efficiency, or be that masterful SEO wizard2). Often, these services were started by those overly brainy nerds. Undoubtedly more intelligent than yours truly will ever be, they nonetheless think that they own the internet and its mysterious innards.

And make no mistake, those services this community concocted really help in many ways. So much so that the grouchy accountant living in the basement of the RMR office tower even pays for them – sometimes.

Yet, some of them are also driven by that weird belief that their ilk is somehow part of some sort of benign hacker community, where youthful coolness is king. A bruh culture that sometimes3) forgets the real world out there – and the real implications their actions can have.

What else could possibly go wrong, right?

On a few occasions, RMR here received an email. From a known source, coming from a CEO, co-founder, or other VIP of one of those services we use. Seemingly. And – surprise – it does what all phishing masters like to do.

It asks you to update personal or payment information. By clicking on a shiny blue link directly inserted into the email. To add insult to injury, these emails look pristine and truly feel like the archetype of a spearphishing mail, allegedly from a known source.

That is exactly what all of all IT security experts warn you about. And the iron-clad rule is that you never, ever click on such a link. Banks these days even go out of their way to sternly tell you that they’ll never ask you about confidential data by mail or phone directly. So, any such communication – presumably with live links – asking for personal data is to be treated as an attack.

Now, that’s very intelligent advice. Because, as a webmaster, you’d look really stupid if the websites in your care get shut down because you clicked on such a link.

Thus, phishing from within is a threat!

Whenever we receive such a communication, red lights start flashing and all alarm bells go off. Neat looking mails coming from a trusty source with a bad smell is exactly what we’re looking for. If they come with THAT almost proverbial link to boot, then this pretty much seals their fate.

And look at it that way. These misguided attempts at efficiency might well be genuine, but that’s beside the point. If a bad actor would get ahold of the wording of the email, they could replicate it down to minute detail and use it for their own – spearfishing. It’s a scammer’s wet dream come true.

So, whenever this occurs there is no other way for us than to waste valuable time investigating if this is a scam or a genuine attempt. That sucks, and no argument to the contrary can make that go away.

In fact, such phishing actions are amateurish at best and catastrophic at worst. Those service providers put the security of their own clients at risk. Or worse still, they may very well be on a path to self-destruction should push come to shove.

The solution?

It’s simple. Integrate the request into account pages or directly into your tool. Then, send neutral directions to your clients WITHOUT any link. It’s still somewhat dicey, but it will at least communicate that some change is afoot.

Most of the service providers out there do this beautifully. It is only some of them that somehow don’t get it. And those few waste RMR’s valuable and very limited time AND they threaten our own site security.

We hate nothing more than that.


Footnotes:[+]

Raid a comment or twenty!