U.S. Markets closed

Lucy Security Says Attackers Copied a Lucy Phishing Simulation Template as Part of Recent Phishing Attacks


Lucy Security (www.lucysecurity.com) was alerted by a researcher at an IT Security vendor to hackers’ use of a Lucy Security Simulated Phishing template in a recently-reported security breach. Lucy’s software was not used as part of the attack.

After an extensive investigation by Lucy Security technical experts, it was determined that Lucy’s Simulated Phishing software was not involved in the breaches, but that the hackers instead copied some of Lucy’s highly-regarded designs to use for unlawful purposes.

Lucy’s findings were shared with an independent Technical Intelligence Analyst at a major threat intelligence vendor, who confirmed that Lucy is correct in their analysis.

There was and is no breach of Lucy Security’s software or systems.

“There is no evidence that hackers used Lucy software, other than using the template design, and our analysis demonstrates significant evidence to the contrary,” said Colin Bastable, CEO of Lucy Security Inc. "Had they used Lucy software, several tell-tale indicators would be apparent. The hackers simply stole our design, which was created to be used as a realistic training aid, but clearly we would prefer that it was not used in this fashion."

On April 15, KrebsOnSecurity broke the news that multiple sources were reporting a cybersecurity breach at Wipro, a major trusted vendor of IT outsourcing for U.S. companies. The story cited reports from multiple anonymous sources who said Wipro’s trusted networks and systems were allegedly being used to launch cyberattacks against the company’s customers.

“Lucy provides training scenarios with which legitimate users can expose their co-workers and clients to realistic but simulated phishing and social engineering attacks,” said Bastable. “In this instance bad actors have downloaded and copied a simulated phishing template, as part of their attack, using their own code and servers to deliver the attacks.”

Bastable added, “We have confirmed that they did not use Lucy software. More than ever, it is apparent that we must train people to be on the lookout for phishing attacks – more than 90 percent of successful attacks originate with an email, and 97 percent of cyberattacks involve some form of social engineering. These attacks were successful, because the attackers invested a lot of time to make them so, but most people, suitably trained and prepared, would have spotted that this was a phishing attack.”

The alleged Wipro breach has been extensively reported on by media outlets. As more organizations rely on third parties for outsourcing, supply-chain management, consulting and production, so their cyber security risks grow.

“I am grateful to the vendor for contacting us, and we are pleased to confirm that our simulation software was not used to carry out real-life attacks,” said Oliver Münchow, Lucy Security founder. “This breach demonstrates the need for training; organizations can’t rely solely on malware detection software or firewalls or hardware defenses. Businesses, governments, and non-profits alike must incorporate their employees into their cyberdefense plans, with regular and effective training to spot and prevent phishing attacks.”

About Lucy Security

Lucy Security is the culmination of 20 years of experience supporting companies in IT security. The Swiss financial industry is attacked by cybercriminals daily and for this reason, Lucy Security started offering penetration tests as early as 1998 to evaluate IT infrastructure and recommend potential improvements.

As a product, Lucy Security evolved out of the understanding that a technical solution alone can’t solve all security problems and that employees and users are an important part of the company-wide security policy.

For more details, go to www.lucysecurity.com.

View source version on businesswire.com: https://www.businesswire.com/news/home/20190507005337/en/