Unknown attackers stole from the online investing firm, Robinhood. On November 8, Robinhood published a statement, informing the public that a data breach occurred on November 3, exposing the email addresses of some 5 million customers as well as the full names of another 2 million accounts. More extensive information of 310 individuals was exposed in the attack as well. The breach was the result of a social engineering attack in which an attacker called a customer support employee and was able to obtain access to customer support systems. Robinhood also confirmed that an extortion demand was also received shortly after the attack but did not elaborate further on it. It is believed that the demand likely involved the threat of releasing the stolen data. Robinhood released an update statement a week later, disclosing the fact that 4,400 phone numbers were compromised as well as other text data entries that were being analyzed. Phone numbers are increasingly being coveted by hackers because so many multifactor authentication (MFA) systems utilize mobile phones. Hackers have learned to steal phone numbers and then port them over to burner phones to impersonate the victim and seize control of their online accounts.
|IDENTIFY INDICATORS OF COMPROMISE (IOC)|
Social engineering is all about psychologically manipulating a victim to either perform a desired action or disclose information that can be useful in the attack. The most prevalent example of social engineering is phishing attacks in which users are encouraged to initiate a wire transfer or asked to logon to what they think is a legitimate site that will in turn expose their credentials. Social engineering can also involve other forms of communication such as text, social media, and the telephone. The attackers knew their corporate victim well, as Robinhood had just recently expanded the customer service department in order to provide 24/7 customer support. They preyed upon newly trained employees still navigating proper protocols and exploited that vulnerability.
|CONTAINMENT (If IOCs are identified)|
Robinhood is asking that all customers scrutinize their emails for phishing attacks, particularly ones that appear to be coming from Robinhood. If possible, customers are encouraged to enable multifactor authentication for their accounts and check for messages using the Robinhood app rather than depending on email. Those customers that want to call Robinhood should refer to the phone numbers listed within the app and should never consider calling a Robinhood phone number delivered by email. Customers should only utilize the Robinhood app to social interact with Robinhood representatives. In addition to its communicative efforts, Robinhood took the measures of contacting law enforcement about the incident and acquired the help of an outside security firm to address the attack.
The Robinhood breach is a classic example of how important it is to have a multilayer security strategy in place. In this case, tools such as endpoint security, email filtering and a perimeter firewall would not have thwarted the phone call made by the attack actor, which then made the attack possible. Hackers use multiple attack venues to breach your network. A thorough risk assessment can shine light on the many risk exposures of your enterprise. To stop an attacker, you must think like an attacker. The incident also underscores the importance of cybersecurity training across your company to educate employees for the signs they need to look for when confronted with a given situation. Strict adherence to the principle of least privilege and the practice of promoting a zero-trust environment both play important roles in combatting social engineering threats such as this. The principle of least principle requires that users be allotted the minimum level of access needed to perform their job functions. Zero trust networking states that trust is established only through continuous authentication and monitoring of every access attempt regardless of whether it was initiated within the network itself.
Prepare for cyber threats through an Incident Response Readiness program