Summer is here and phishing season is in full swing. May saw a troubling range of phishing attacks carried out against a wide array of targets, from retirement planners to school systems to national defense. Bundle all of those efforts together with a disturbing ransomware attack on the air travel industry and you have all the evidence you need of the dangers of inadequate cybersecurity at every level.
May’s Biggest Cyber Attacks
Ransomware Attempt Grounds India’s SpiceJet
In the category of “at least it wasn’t as bad as it could have been,” an attempted May 24 ransomware attack on India’s SpiceJet budget airline disrupted operations for a significant number of travelers.
While the airline’s cybersecurity and IT teams were able to resolve the problem before the end of the day, multiple flights were delayed, leaving airports full of frustrated and confused ticket holders. Many of those impacted took their complaints to social media, generating some very unwelcome publicity for an airline already dealing with a good deal of negative press .
Fortunately, it appears that quick action by SpiceJet’s security team was able to stave off a full-blown ransomware situation. A company statement claimed that attackers were thwarted before actually breaching the system .
Even so, a number of SpiceJet functions including some booking systems and telephone-based customer service remained offline the following day, presumably as part of the company’s security measures. While this incident could have been far more damaging, it still stands as an example of the public relations dangers that go along with any high-profile cyberattack.
Records Exposed: None, but significant disruption to air travel processes
Type of Attack: Ransomware
Industry: Air travel
Date of Attack: May 24, 2022
Location: India
Key takeaway: Cybercrime doesn’t have to be a complete success in order to do damage. In this case, it appears that SpiceJet’s cybersecurity worked well and likely averted a much worse outcome for the airline and its passengers. Even so, for a business that was already dealing with reputational damage, the appearance of negligence that comes with a data breach can have a powerful and lasting impact on public perception.
Cybercriminals Target the Public Sector in Canada
If there’s one institution you’d like to be able to trust, it’s your kids’ school. For parents in one Canadian town, cybercriminals did their best to put a dent in that trust last month.
The Mission School District in British Columbia fell victim to a May 12 phishing attack that allowed hackers to access official school email accounts . Multiple members of the school’s mailing list reported receiving vague messages from teachers and administrators (a form of spear phishing) that included a link to a “payment remittance” attachment.
While the emails seem to have been too crudely composed to fool many recipients, the thieves’ approach revealed a fair bit of sophistication—emails were sent from high-level administrators such as the school’s vice principal, and messages from a French immersion teacher were written in French.
Less fortunate were the people of Elgin County in Ontario, where identity thieves made off with the personal data of 330 county employees and long-term care residents . That theft included data from 33 people that was deemed “highly sensitive” and potentially “devastating” by a county official. Compounding the issue, authorities have cited a troubling lack of transparency from county administrators.
The incident seems to have taken place sometime in March, but was not revealed to the affected parties for nearly two months. The nature of the attack has not been clarified beyond being called a “cybersecurity incident,” although it would appear to have the earmarks of a ransomware attack—a number of the county’s functions were offline for much of April.
Records Exposed: Employment, medical, and personal data
Type of Attack: Phishing, possible ransomware
Industry: Municipal government
Date of Attack: March 2022 (revealed in May 2022)
Location: Mission, British Columbia and Elgin County, Ontario
Key takeaway: Gaining access to trusted institutions is a major win for cybercriminals, whether that means posing as a French teacher in an attempt to grab some quick cash or stealing sensitive medical information.
Unfortunately, public sector data remains an appealing target for thieves due to the combination of sensitive materials and limited security budgets found in that field. Municipalities are doing their constituents a disservice by not investing more heavily in cybersecurity.
U.S. Department of Defense Vendors Let Their Guard Down
A late April conviction revealed an embarrassing breach in security at the department tasked with the national defense. California-based scammer Sercan Oyuntur and colleagues perpetrated a successful phishing operation against partners of the U.S. Department of Defense back in 2019.
The scam was a multi-step process—Oyuntur’s group sent emails to a range of vendors after purchasing a domain name similar to the official DoD website, then hijacked the vendors’ account details via a cloned “login.gov” page. Payments intended for the vendors were instead funneled into accounts belonging to the thieves.
The theft was detected by an automated scan of the DoD’s EBS servers , designed to flag payments and transactions categorized as risky. Even so, the scammers were able to talk the Defense Logistics Agency into authorizing payments, only to shoot themselves in the foot by channeling the money through a shell business that wasn’t an approved vendor.
That move set off another flag, and Oyuntur was arrested not long after, although not before his team inflicted more than $23 million in damages. Oyuntur’s April 29 conviction could send him to prison for up to 30 years. That may serve as a cautionary tale for other aspiring cybercriminals, but the fact that these thieves got as far as they did phishing a presumably secure organization might also serve as an inspiration.
Records Exposed: Military vendor contracts and payments
Type of Attack: Phishing
Industry: Defense, federal government
Date of Attack: 2019
Location: California
Key takeaway: It takes a bold criminal to go after the DoD. While Oyuntur and his colleagues were ultimately their own worst enemies, the relative ease with which they were able to fool multiple affiliates of one of the nation’s most secure entities should be a lesson in both the lengths to which criminals are willing to go and the vulnerability of even high-level targets.
Australian Pension Plans Get Phished
Around 50,000 Australian workers got a scare last month when a May 19 data breach exposed their personally identifiable information. In what has been characterized as a phishing attack, criminals accessed a trove of information from Spirit Super , a “super fund” that manages pension accounts for a wide range of Australians.
According to a company press release, the stolen data appears to have been mostly benign, including “names, addresses, ages, email addresses, telephone numbers, member account numbers, and member balances.” Spirit Super stressed that no financial or confidential information was accessed in the breach.
The affected information was accessed via an employee mailbox, which in turn was accessed when an employee opened a phishing email that managed to get past Spirit Super’s multi-factor authentication system. The company claims that the breach was detected quickly and that their security system is being updated.
In the meantime, a frequently asked questions page has been set up on the Spirit Super website to guide worried clients through the ins and outs of the attack.
Records Exposed: Email addresses and personally identifiable information
Type of Attack: Phishing
Industry: Retirement planning and financial management
Date of Attack: May 19, 2022
Location: Tasmania, Australia
Key takeaway: Unlike the Elgin County, Ontario, Spirit Super seems to have handled this breach with admirable transparency. The company acknowledged the attack, provided a prompt and clear explanation of how it happened, reassured affected users about the security of their most protected data, and provided information on next steps for worried clients. If you’re going to suffer a data breach, this is the way to respond to it.
May was a clear illustration that less sophisticated attacks like phishing and email hijacking can still do plenty of damage. A cybersecurity system that takes a multi-pronged approach to security operations is a necessity for protecting your data on whichever side the criminals decide to attack from.
