[jaclaz]

>On late (PST) February 5, 2023, we became aware of a sophisticated phishing campaign that targeted Reddit employees. As in most phishing campaigns, the attacker sent out plausible-sounding prompts pointing employees to a website that cloned the behavior of our intranet gateway, in an attempt to steal credentials and second-factor tokens.

It doesn't seem to me that much sophisticated, rather "normal", unless they are omitting some relevant details, it sounds a lot like "Action needed urgently, click here to login to ...".

[jwestbury]

Every company describes successful breaches as "sophisticated," because if it wasn't sophisticated then it's their own failure.

[asddubs]

was it the north korean government using military level hacking technology? yes. i mean, we don't know. but probably.

[ilyt]

"Military level" is another means-nothing term.

Could be anything from average phishing or some 0-day that happened to be found by gov employee or phishing email, to "a bunch of men kidnapped target and beat them till they gave them access

[PenguinCoder]

And for this case, highly highly doubt a threat actor would burn a zero day for a Reddit phish.

[marginalia_nu]

The sophisticated aspect of these types of attacks typically isn't in the technical aspects, but the social engineering involved.

It usually involves meticulous research on the target, what and who they work with, and have crafted an email that plausibly looks and sounds like an internal email, that talks about company stuff in company language, mentions coworkers and so on.

Add a note of urgency, make it someone who has discovered something isn't right, there's an urgent technical issue or the company or money is missing from the accounts or something, or perhaps it was dressed up as a memo announcing layoffs at reddit. If it's an urgent "threat" you tend to tunnel vision quite hard.

The result is very far removed from how your typical spam emails tend to look.

[dkarl]

Cloning an intranet site is also a nice wrinkle that probably trips up a lot of less-tech-savvy employees who are trained to recognize phishing attempts that use replicas of Amazon, Google, Facebook, and other big well-known public web sites, which they mentally categorize as a different thing from their company's internal tools.

[pixl97]

It doesn't help companies have so many internal tools. It seems like once a month I'm asking my team if the invite to X service is something we're doing or a phish.

[xeromal]

This is what interested me. How do you clone an intranet site without gaining access to it?

[sillysaurusx]

Yep. We had a charming English fellow at NCC Group in charge of doing this for a living. He had it down to a science. Everything from the phrasing to the phishing.

[likis]

If they have a clone of an intranet gateway, I would have to agree that the phishing attempt is a bit more advanced, so calling it sophisticated is not too far fetched.

[bawolff]

Its sophisticated in the sense it sounds targeted. They had to do research, setup a clone of an internal site, etc. That's on the high end of sophistication for phishing, which in general is usually not the most sophisticated of attacks.

[jaclaz]

Yep, but targeted doesn't have the same meaning as sophisticated, maybe the sophistication relates to obtaining a list of reddit employees, in that sense the sophistication is before and besides the phishing in itself.

[lynx23]

"One of our employees was tricked. The attack must have been sophisticated, because we are a cool gang."

Basically applies to every team there is.

[pixl97]

I'd say it depends on how much homework was done by an attacker. The company I work for was adding some new services. One of the service setup emails came in and was off just enough that I reported it rather than following it, and yes, it was an internal phishing test, but one I found very valuable because the service providers could be hacked, and the URLs that are used are generally terrible if you're trying to figure out where you're going.

[dghughes]

The "sophisticated" term maybe (100% for sure) was meant to save face. As in reddit staff should have known better and were supposed to be IT, social media, Internet culture experts. But fell for it anyway.

[PM_me_your_math]

"Sophisticated"

The employee's password was probably passw0rd, and that's being generous for reddit.

[coffeeblack]

If any e-mail contains a link to a login webpage, I treat it as a Phishing attempt. Only ever log in on the page you have bookmarked.

[marginalia_nu]

That's easier in your private life than in business. A lot of common tools (especially jira, confluence, etc.) have the flimsiest sessions along with just atrocious navigation.

Means almost every other time you're sent a link, you have to log in yet again. And man are you sent jira tickets often in tech.

[coffeeblack]

I’m always logged into Jira and Confluence. And if not, the browser has the password stored, so an unknown host would be obvious.