Australian password security company Click Studios said it believes only a small fraction of its 29,000 customers were affected by a breach caused by a corrupted update containing malicious code. Meanwhile, customers posting correspondence from the company on social media may be unwittingly feeding into new phishing schemes.
In a new advisory posted on their website, Click Studios provided an update on their investigation into the breach, which took place between 8:33 p.m. Universal Coordinated Time on April 20 and 12:30 a.m. UCT April 23. Any customer that updated their PasswordState tool during that time frame could have been compromised.
“The number of affected customers is still very low. Only customers that performed In-Place Upgrades between the times stated above are believed to be affected,” the company stated.
It’s not clear how Click Studios is defining “affected” customers in this incident. The corrupted update was likely just the first step in what researchers from CSIS Security Group believe was a multi-stage malware attack, and in at least one case a customer downloaded the update but the attack was stopped before any second stage malware could be deployed.
SC Media has reached out to the company for further clarification.
While Click Studios has been notifying impacted customers, they also requested that they cease publishing screenshots of the company’s communications online, saying that the bad actor is “actively monitoring social media” for more information to use in related attacks. Specifically, they say an email sent on Friday, April 23 confirming the breach and outlining potential remediation steps has been repurposed into phishing emails sent to some customers.
“Unfortunately, some customers have posted copies of this email on social media. It is expected the bad actor is actively monitoring social media for information on the compromise and exploit,” the company said. “It is important customers do not post information on Social Media that can be used by the bad actor. This has happened with phishing emails being sent that replicate Click Studios email content.”
The emails ask customers to download an update, which is really a modified version of the dynamic link library used in the original attack that called out to a content delivery network server not controlled by the company for a malware payload. ClickStudios said that the server is now down and they have obtained a sample of the payload for further analysis.
Customers can spot a fake by looking at the domain suffix, which doesn’t match that of legitimate Click Studios emails, or claims that an “urgent” update is needed in order to overwrite a bug in the previous patch, or any emails that ask the user to download the update from a subdomain.
Companies are often pilloried in the wake of data breaches for lacking transparency or leaving their users in the dark about potential impact. This incident demonstrates the flip side of that coin, how information or communications from a company following a breach can be weaponized by bad actors. The fact that these new lures are designed to mimic legitimate notification emails demonstrates a clever social engineering ploy, essentially leveraging the anxieties of PasswordState users to learn more details about the previous breach to infect them with the same attack.
"What happened with the Click Studios disclosure seems like a new trend that companies should be aware of and shows us how phishing campaigns are becoming more and more sophisticated," said Inon Shkedy, a security researcher for Traceable. "As part of the disclosure message or email, it is probably a good idea to include a warning and recommend that customers not share the disclosure information on public places that can be scrapped by attackers, such as social media.
Chris Morales, chief information security officer at resolution intelligence firm Netenrich, said Click Studios was following standard post-breach notification protocols and that some of the responsibility should fall on the customers posting their correspondence online without understanding the potential repercussions.
“The problem here is not the notification process. It is the users who received the notification, posting that publicly on social media and not understanding this is supposed to be a time window to address any issues before making it public,” said Morales. “Of course, that is going to lead to even more problems.”
Others argued that companies should not be surprised to see the letters they send customers end up online, and that we should hold companies, not their customers, accountable for the consequences of a breach.
"It’s not humans that need to get their act together and stay mum after an incident, but automated and intelligent cybersecurity systems that need to keep us safe," said Kevin Bocek, vice president of security strategy and threat intel at Venafi. "Phishing happens, and will tomorrow regardless if there’s another breach notification or not to fake."