Hacked Through Phishing: An Ugly Security Awareness Lesson Learned

Phishing is the act of using electronic communication to pretend to be a trustworthy individual in order to obtain secure information. There are many types of phishing, including communications that appear to come from individuals within a recipient’s contact list or organization, otherwise known as spear phishing. Recently ICANN, the Internet Corporation for Assigned Names and Numbers, was the victim of just such an attack.In November 2014, ICANN employees received an email claiming to be from a staff member within ICANN requesting their login info. Taking the email at face value, an unidentified number of employees clicked on a link included within that led them to a fake login page. When they entered their email and passwords, this information was obtained by the attackers.Officials believe it may also have allowed malware to be installed on employee computers. ICANN employees unwittingly the attackers gave access to their organizational accounts and the privileges associated with them.Using email credentials elicited from the spear phishing attempt, hackers accessed the ICANN Centralized Zone Data System, or CZDS, which is a service that domain registries and others use to request DNS root zone file access located at czds.icann.org. Not only were zone files accessible to the attackers, but the names, postal and email addresses, fax and telephone numbers, email addresses, and passwords of system users were at risk as well.Although passwords were encrypted as salted hash values, ICANN deactivated them as a precaution and allowed users to request new ones. The organization also sent notices to all members potentially affected by the attack urging them to review and change their login information for other online accounts that may have used the same username and password.In addition to the CZDS, the attackers also gained access to the ICANN GAC (Governmental Advisory Committee) Wiki, located at gacweb.icann.org, where they were able to view a members-only index page, one user’s profile page and other public information. The attackers were also able to access user accounts on two other platforms, the information portal ICANN WHOIS at whois.icann.org, and the ICANN Blog at blog.icann.org.ICANN discovered the existence of the hack a week after it took place. In a statement released to the public, ICANN stated that they had initiated security enhancements designed to increase the information security of all ICANN programs. The organization also claimed to have instituted additional security measures directly after the attack.

Lesson Learned:If your organization does not have security awareness training for all employees, it could be a big mistake!