500 GoDaddy employees failed phishing test
Any further surprises in 2020 are actually to be expected, however, that didn't prevent the GoDaddy employees from feeling the further chill of the year's spontaneity with their organisation's recent phishing email campaign offering. An email sent to 500 employees promising a $650 holiday bonus was actually a supposed 'Phishing Awareness Test' which left the prey feeling a little more than "preyed on". Employees who took the bait were allegedly afforded the unwanted prize of further security awareness training.
Employees who took the bait were allegedly afforded the unwanted prize of further security awareness training.
The general consensus on GoDaddy's security trial was that their email was far more Halloween than holiday-appropriate. Although it is easy to understand the populist sentiments given the current pandemic resulting in several thousands being laid off, the cyber-ists amongst us are cautious to remain pragmatic and employ a sense of realism. Because the reality is that it is in these times that Hackers catch their biggest prey. Action Fraud reports that throughout the 2014 festive season, both individuals and businesses reported losses of £16.5m (Action Fraud) due to cybercrime, with countless more cases going unreported Cybercriminals know all too well that Christmas is the busiest time of year for internet retailers and that more people than ever will be using their devices to make purchases and surf the web. Falling for a phishing scam is an easy mistake to make. Over the festive period companies send millions of emails in a last-ditch attempt to plug their products before Christmas, and phishing scammers will send seemingly genuine emails that result in devices being infected on clicking. It is also very typical that companies would send out mass messages about holidays and bonuses at this time of year.
GoDaddy finds itself in a delicate position following their 2019 breach which, upon an investigation, determined that an "unauthorized individual" had gained access to login credentials that meant they could "connect to SSH" on the affected hosting accounts. The breach occurring in 2019 was actually identified in 2020. It affected approximately 28,000 customers.
SSH is an acronym for Secure SHell, a network protocol used to access remote computers.
As the world's largest domain registrar, GoDaddy, with 19 million customers, 77 million domains managed, and several million websites hosted certainly has got its cyber defense management cut out if it wants to maintain its position in the dynamic and fast-moving market that is hosting.
For similarly large, reputable organisations, there will no doubt be a significant investment in securing systems and information assets, however, staff remain their Achilles heel and phishing, a surefire way to exploit them.
It is perfectly understandable that GoDaddy would therefore choose a fake-phish activity to help analyse employee behaviour, although the type of email sent out still remains a rather spurious method of delivery, possibly driven by a rather out-of-touch HR or Security Team?
Regardless, one cannot ignore the fact that with the current ways of working during a continuously uncertain pandemic, organisations are faced with a real cyber threat from having individuals working on a home network, maybe even at times a public one, and in environments that are not necessarily secure and impossible to control. Security awareness is therefore no longer an optional tick box operation for such organisations but a real necessity that requires analysis and tangible solutions.
The team at PhishKing have developed an application that enables organisations to track, understand, and help reduce behaviours that lead to phishing exploits. PhishKing integrates seamlessly with your email platform and empowers you to customise your own targeted phishing campaigns that help you to quickly confirm which employees or teams require more training to reduce their chances of being exploited by would-be hackers.
As always I like to end by summarising the good, the bad, and the lesson out of this situation.
The Good
GoDaddy is doing something about tightening up its internal security. They recognise their place in today's hosting community and they evidently appreciate the responsibilities that this comes with. Trying to improve security awareness and behaviours is an excellent step to take in improving your overall security holistically.
The Bad
Any campaigns or programmes delivered to track behaviours needs to be well thought out, sensitive, realistic, and able to provide genuine insight. Organisations should certainly weigh the advantages of any proposed techniques against the impact on morale and eventual behaviour. A disgruntled employee (albeit, one who is more security-aware) could actually end up becoming another weak link should they decide to go rogue and purposefully disclose critical information.
What we can learn from this?
Hackers and Phishing is unfortunately not going away anytime soon. Companies need to be more vigilant and employ innovative and intuitive methods for addressing security risks stemming from phishing. Teams tasked with delivering security awareness and training activities that involve such campaigns would do well to work with marketing teams within the business or Team Leads to ensure they are able to obtain valuable insight and feedback about their approach before ploughing ahead. Staff morale, interest, and willingness to change is key in effective engagement.