Tech

Snapchat falls foul of CEO impersonation, hands over employee pay data

A targeted phishing campaign has left Snapchat flat-footed and red faced.

Written by Charlie Osborne, Contributing Writer Feb. 29, 2016 at 5:56 a.m. PT

Snapchat says it is "impossibly sorry" after being duped by a cyberattacker who impersonated the CEO and was able to elicit employee payroll information from the firm.

In a blog post on Sunday, the messaging service revealed that a targeted phishing campaign which involved a cyberattacker impersonating chief executive Evan Spiegel was successfully levied against the company, leading to the release of payroll information.

Last Friday, the impersonator contacted a Snapchat employee with a request for payroll information. The phishing email was not recognized for what it was, and the member of staff who received the email revealed payroll information related to both current and former employees.

Snapchat is in the midst of sorting out how many employees have had their information compromised, and beyond the word "some," it is not yet known just how problematic the data breach could become.

Phishing emails are most commonly sent as mass spam campaigns, ranging from a plea for help to save someone dying to congratulations on winning the Spanish lottery and messages from alleged long-lost relatives from Africa. The most dangerous types are the ones which are targeted -- such as masquerading as banks or retailers.

If a cybercriminal focuses on a particular victim in a spear phishing scheme, a little social engineering and research can persuade the victim to hand over the information which is wanted -- or to download a legitimate-looking file which contains malware for a variety of nefarious purposes.

Security

The embarrassing gaffe was at least dealt with swiftly. Within four hours, Snapchat ascertained the incident was "isolated" and reported the scheme to the FBI. The staff members which may have had their identities and financial data compromised have been offered two years of free credit monitoring and insurance against identity theft.

There is no evidence to suggest company servers were breached, and Snapchat has been quick to reassure users that their data was unaffected by the scam.

"When something like this happens, all you can do is own up to your mistake, take care of the people affected, and learn from what went wrong," Snapchat says. "To make good on that last point, we will redouble our already rigorous training programs around privacy and security in the coming weeks. Our hope is that we never have to write a blog post like this again."

There's no doubt this is embarrassing for the company, however, the situation does highlight just how easy it can be for even those who work in the IT sector to fall prey to targeted phishing campaigns. By impersonating the CEO and appearing legitimate, the cyberattacker was able to dupe the employee who had already gone through training in order to detect such scams -- and that person will not be the last to do so.

Richard Beck, Head of Cyber Security at QA commented:

"As the scammers become ever more sophisticated, it's easy to be duped, as Snapchat's payroll department unfortunately discovered.

The good news is that arming employees with some basic cyber security know-how -- such as knowing not to click on a URL sent via email -- makes it relatively easy to thwart these scammers and defend against the cyber threats that every business faces today."