SANS Institute, a cooperative research and education organization, that trains cyber security specialists, fell victim of a phishing attack. As a result, about 28 000 personal records leaked.
SANS Institute conducted its regular email configuration and rules review on the 6th of August. During the review it identified a suspicious forwarding rule and immediately started the incident response process. The discovered rule sent 513 emails from an employee’s account to some external address. The stolen data contained email addresses, names, surnames, countries of living, positions, company names, working phone numbers, company verticals and addresses of people registered for SANS Digital Forensics & Incident Response (DFIR) Summit.
The security incident was a result of the phishing email, received by one of the organization’s employees. He did not manage to recognize the fake email, followed the fraudulent instructions, and compromised his corporate email account. Though there was no malware deployed to his endpoint, the attack used a malicious O365 add-in on the server side.
Fortunately, SANS managed to identify the phishing attack quickly. On the average it takes companies from 6 weeks to 6 months to recognize a security incident like this. They removed the malicious code and conducted a full risk assessment according to the European legislation. Most of the compromised data turned out to be public, and the potential damage to the clients was not significant.
Image by Zab Consulting
|_ga||2 years||The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.|
|_gat_gtag_UA_150416163_1||1 minute||Set by Google to distinguish users.|
|_gid||1 day||Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.|
|pardot||past||The pardot cookie is set while the visitor is logged in as a Pardot user. The cookie indicates an active session and is not used for tracking.|
|visitor_id909942-hash||10 years||No description|
|lpv909942||30 minutes||No description|
|visitor_id909942||10 years||No description|