Stop Tweeting, Says Click Studios: Phishers Use Breach Notification Information to Create New Lures

Click Studios, an Australian password protection company, claims that only a small percentage of its 29,000 customers were impacted by a security breach caused by a compromised update containing malicious code. 

In a new advisory posted on their website, Click Studios issued an update on their investigation into the breach which took place between 8:33 p.m. Universal Coordinated Time on April 20 and 12:30 a.m. UCT April 23. During that time, any customer who changed their PasswordState tool may have been hacked. In this incident, it’s unclear how Click Studios defines “affected” customers. 

According to CSIS Security Group researchers, the compromised update was most likely only the first stage of a multi-stage malware attack. At least one customer downloaded the update, but the attack was stopped before any second-stage malware could be deployed. 

“The number of affected customers is still very low. Only customers that performed In-Place Upgrades between the times stated above are believed to be affected,” the company stated. 

SC Media has contacted the company for additional details. Although Click Studios has been notifying affected customers, they have also asked them to stop posting screenshots of the company’s correspondence online, claiming that the bad actor is “actively scanning social media” for more information to use in future attacks. They say that an email sent on Friday, April 23 confirming the violation and detailing possible remediation measures was repurposed and sent to some customers as phishing emails. 

Customers are asked to download an update, which is actually a modified version of the dynamic link library used in the original attack, which requested a malware payload from a content delivery network server that was not under the company’s control. The server has been taken down now, according to ClickStudios, and a copy of the payload has been retrieved for further study. Customers can spot a fake by searching for a domain suffix that does not match that of legitimate Click Studios emails or claims that an “urgent” update is required to correct a flaw in the previous patch, or emails that direct the user to a subdomain to download the update. 

In the aftermath of data breaches, companies are often criticized for a lack of accountability or for keeping their customers in the dark about the possible consequences. This incident highlights the other side of the coin: how bad actors can weaponize information or communications from an organization following a breach. The fact that these latest lures are built to look like legitimate notification emails shows a sophisticated social engineering tactic, basically exploiting PasswordState users’ fears to learn more about the previous breach and infect them with the same assault. 

Inon Shkedy, a security researcher for Traceable stated, “What happened with the Click Studios disclosure seems like a new trend that companies should be aware of and shows us how phishing campaigns are becoming more and more sophisticated.”

“Click Studios was adopting normal post-breach notification procedures, according to Chris Morales, the chief information security officer at resolution intelligence company Netenrich, and that some of the blame should fall on the customers who posted their correspondence online without knowing the possible consequences. “The issue here isn’t with the notification system. The people who got the message are the ones who are publicizing it on social media, even though there is supposed to be a time window to fix any problems before making it public,” Morales explained. “Of course, it would just exacerbate the situation.” 

Others argued that companies should not be shocked to see the letters they send users that end up on the internet and keep companies responsible for the effects of a breach, not their customers.