Lucy Security (www.lucysecurity.com)
was alerted by a researcher at an IT Security vendor to hackers’ use of
a Lucy Security Simulated Phishing template in a recently-reported
security breach. Lucy’s software was not used as part of the attack.
After an extensive investigation by Lucy Security technical experts, it
was determined that Lucy’s Simulated Phishing software was not involved
in the breaches, but that the hackers instead copied some of Lucy’s
highly-regarded designs to use for unlawful purposes.
Lucy’s findings were shared with an independent Technical Intelligence
Analyst at a major threat intelligence vendor, who confirmed that Lucy
is correct in their analysis.
There was and is no breach of Lucy Security’s software or systems.
“There is no evidence that hackers used Lucy software, other than using
the template design, and our analysis demonstrates significant evidence
to the contrary,” said Colin Bastable, CEO of Lucy Security Inc. “Had
they used Lucy software, several tell-tale indicators would be apparent.
The hackers simply stole our design, which was created to be used as a
realistic training aid, but clearly we would prefer that it was not used
in this fashion.”
On April 15, KrebsOnSecurity broke
the news that multiple sources were reporting a cybersecurity breach
at Wipro, a major trusted vendor of IT outsourcing for U.S. companies.
The story cited reports from multiple anonymous sources who said Wipro’s
trusted networks and systems were allegedly being used to launch
cyberattacks against the company’s customers.
“Lucy provides training scenarios with which legitimate users can expose
their co-workers and clients to realistic but simulated phishing and
social engineering attacks,” said Bastable. “In this instance bad actors
have downloaded and copied a simulated phishing template, as part of
their attack, using their own code and servers to deliver the attacks.”
Bastable added, “We have confirmed that they did not use Lucy software.
More than ever, it is apparent that we must train people to be on the
lookout for phishing attacks – more than 90 percent of successful
attacks originate with an email, and 97 percent of cyberattacks involve
some form of social engineering. These attacks were successful, because
the attackers invested a lot of time to make them so, but most people,
suitably trained and prepared, would have spotted that this was a
phishing attack.”
The alleged Wipro breach has been extensively reported on by media
outlets. As more organizations rely on third parties for outsourcing,
supply-chain management, consulting and production, so their cyber
security risks grow.
“I am grateful to the vendor for contacting us, and we are pleased to
confirm that our simulation software was not used to carry out real-life
attacks,” said Oliver Münchow, Lucy Security founder. “This breach
demonstrates the need for training; organizations can’t rely solely on
malware detection software or firewalls or hardware defenses.
Businesses, governments, and non-profits alike must incorporate their
employees into their cyberdefense plans, with regular and effective
training to spot and prevent phishing attacks.”
About Lucy Security
Lucy Security is the culmination of 20 years of experience supporting
companies in IT security. The Swiss financial industry is attacked by
cybercriminals daily and for this reason, Lucy Security started offering
penetration tests as early as 1998 to evaluate IT infrastructure and
recommend potential improvements.
As a product, Lucy Security evolved out of the understanding that a
technical solution alone can’t solve all security problems and that
employees and users are an important part of the company-wide security
policy.
For more details, go to www.lucysecurity.com.
View source version on businesswire.com: https://www.businesswire.com/news/home/20190507005337/en/