Login

u/Syncplify

▲ 0 r/Information_Security

1 in 8 employees is selling company passwords - and the CEO is most likely one of them.

A new report from Cifas found that 13% of surveyed workers have either sold their company login details in the past year or personally know someone who has, which is already a pretty uncomfortable number, but it's not disgruntled junior employees feeling underpaid and overlooked doing it, it's the people at the top.

32% of senior managers, 36% of directors, 43% of C-suite executives, and a genuinely baffling 81% of business owners consider selling company credentials to be "justifiable," usually under the assumption that it's harmless one-time access - as if handing someone a working set of login details doesn't give them the exact same trusted access as any legitimate employee on the network.

And the timing couldn't be worse, because with economic pressure mounting, AI threatening jobs, and redundancies becoming more common, the temptation to make a quick payout by selling access to your employer's systems is only going to grow and most companies aren't built to catch it, especially when the person doing it is the one who's supposed to be setting the security culture in the first place.

Multi-factor authentication helps, but it's a bit of a band-aid when the person handing over the credentials is the CEO. At what point does this become something companies actually train for, or is "don't sell your login details" still somehow assumed to be common sense?

reddit.com
u/Syncplify — 19 hours ago
▲ 41 r/pwnhub

Pay up, or we'll send someone to your house. Ransomware just got a lot scarier.

40% of ransomware attacks now come with physical threats to employees, and in the US that number jumps to 46%.

We're way past "pay up or we leak your data" at this point. A hospital got phone calls where strangers read nurses their home addresses down the line, and a security researcher had a threatening note left on his doorstep while he was actively helping a US government agency deal with an attack.

The playbook is simple and honestly kind of genius in a terrifying way, hackers stay hidden overseas and just hire local, post on a forum, offer some cash, and let someone else do the knocking. The FBI flagged a whole network for this last summer that's been tied to arson, kidnappings, even shootings.

What nobody seems to be talking about though is what this actually means for companies, because your HR database full of employee home addresses is no longer just a privacy liability - it's a physical safety problem, and I'd bet almost no incident response plan in existence covers the moment a staff member picks up the phone and a stranger calmly reads their address back to them.

If you work in security or IT, has this actually come up in any planning conversations at your company, or is everyone still treating this like a purely digital problem?

reddit.com
u/Syncplify — 19 hours ago
▲ 132 r/pwnhub

The 19 year old suspect allegedly part of Scattered Spider just got arrested at Helsinki Airport mid-flight to Tokyo. And honestly the way he got caught is almost more impressive than the hack itself.

A teenager called a company's IT help desk, pretended to be an employee, asked for a password reset. That's it. One phone call and they walked out with 100GB of data, then sent a ransom email demanding $8 million with a typo in the subject line: "IMPORTANT: WE STOLE THE DATA, CONTACT UMMEDIATELY [sic]".

But while the FBI was building the case against him, a suspect was posting Snapchats of cash, luxury watches, and trips to Dubai, Thailand, Mexico, and New York. Oh and a diamond-encrusted necklace that literally says "HACK THE PLANET." He also posted a screenshot of failed FBI login attempts with the caption "F*** off, FBI."

The hack worked because someone at an IT help desk picked up the phone. That's the real story here - your whole security stack means nothing if one employee can be talked into resetting a password over a call.

Source.

u/Syncplify — 16 days ago
▲ 2 r/Information_Security

A new Proofpoint report found that 1 in 10 hacked Microsoft 365 accounts had malicious mailbox rules planted within seconds of the breach. Sometimes in as little as five.

And even if you decide to change your password, the rules stay. You reset it, think you're done, and the whole time there's still a rule sitting there silently forwarding your emails to whoever broke in. They name them things like ".", "..", "..." or ; so you scroll right past them. The most common one, a single dot, showed up in 16% of cases.

One real case from the report: attacker gets into an accounting specialist's account, creates a rule named "..." that hides all incoming emails with "Payment Receipt" in the subject, then uses that same account to send a phishing email with that exact subject line to 45 coworkers. The CEO's assistant clicked it. She had payroll access. You can guess the rest.

They're also known to set up rules that silently delete any email containing words like "phishing", "malware", or "virus", specifically to stop IT security alerts from ever reaching the compromised user. The FBI actually warned about this exact tactic back in 2020, and it's still going strong, apparently.

If you're an admin, start with disabling automatic external forwarding and auditing OAuth app grants. Password resets alone won't cut it. Anyway, when did you last look at your inbox rules?

u/Syncplify — 16 days ago