Cyber Week in Review: Saks Fifth Ave, Gmail & Technion Institute of Technology

Media Division | March 31, 2017

Well, sports fans, if you want to take a break from March Madness, how about some fantastic phishing?  In this week’s cyber week in review, we pop around the globe for some of the biggest phish of the season, where major retailers, techno geeks, and techno-geeks-in-training all fall for the shenanigans of the season.  It’s another form of college ball, and it took place in cyber land this week.

Saks Fifth Would-be Phish

Shoppers looking to pay nearly fifteen hundred dollars for a pair of mules may have gotten more than they bargained for when shopping luxury retailer Saks Fifth Avenue online.  Tens of thousands of customers’ email addresses and/or phone numbers were apparently posted online, unencrypted.

When online shoppers attempted to purchase certain unavailable items, instead signing up for the waiting list, their data joined an online listing for any to view on the web.  Canadian parent company, Hudson’s Bay Co. (HBC), credited as being the first commercial corporation in North America, learned of the leak and took the pages down.  A spokesperson told online news source BuzzFeed, “We take this matter seriously.  We want to reassure our customers that no credit, payment, or password information was ever exposed.”

So if it’s just an unencrypted email address list, what’s the big deal?  Well, anytime personal information is leaked, it can (and should!) be a big deal to many consumers.  One of the main concerns: phishing scams.  Email address lists, especially in connection with any pertinent information, can fuel phishing scams.  Even just the knowledge that a particular customer base of emails had browsed Saks Fifth Ave online, could open the door to a targeted phishing scam.  The best phishing scams have about a 45% success rate, according to Google, and including specific details can make for a more sophisticated scam.

Gmail Gets Goosed

Speaking of phishing scams, Gmail is on to a sophisticated scheme that had even some of the most techno-savvy surfers getting phished.

More obvious phishing scams ask for you to send them your credit card number or some such nonsense.  This new round of schemers came up with a snazzy way to steal your credentials:

  1. You get an email from someone in your address book with a real subject line and seemingly real PDF attachment.
  2. Unbeknownst to you (or, often, even them) that person was hacked and the subject line was lifted from their real email history. The “attached PDF” is actually an embedded image of a real PDF that person had sent at some point in time (though not necessarily to you).
  3. All that credibility may lead you to click on the “attachment,” which directs you to a phishing page. Even though “data:text/html” is in the subject line before “https://” the bar also includes the phrase “” and looks nearly identically like the real Gmail login page.
  4. So, you “login,” which, voila!, gives the phishing page your Gmail credentials. Your email address book now gets the same scam.

There are several ways you can detect and/or prevent a scam like this:

  • If you aren’t expecting an attachment, don’t click on it. Compose a separate email to the sender inquiring about it (a reply email may just go back to the phisher).
  • If you are already logged in to Gmail, you certainly wouldn’t be asked to login again.
  • If something looks fishy (phishy) in the site address, it probably is.
  • Enable two-step verification in your Gmail email. It’s simple to set up, and an ounce of prevention is worth a pound of cure.

With these simple measures, you can avoid the bait.

Technicalities at The Technion Institute of Technology

The Technion—Israel Institute of Technology is one of the top-ranked universities in the world and the oldest university in Israel. Of course, a university of that caliber would enroll some innovative thinkers.

But then when that “innovation” looks a great deal like “cheating” it can result in a student getting expelled for hacking into the email accounts of several professors and changing grades.

Hacking is illegal, and Technion reported it as a misuse of school computers.  A spokesperson told Ynetnews:

“We are taking this case very seriously, as it is very unusual.  The student, who acted in a manner that is most reprehensible, was punished severely by the disciplinary committee and was immediately and indefinitely expelled from the institution.  A complaint was also filed against him with the police for the suspicion of cyber crimes.”

While in some institutions, hacking might be sponsored and resume-building, The Technion was clearly not flattered by such a blatant attempt at cheating.

Ahead of the Game

When it comes to phishing schemes, college-student hackers, or any other real or potential cyber incidents, cyber threat intelligence and reputation control help detect, prevent and mitigate.  Call 813-434-0922 for a free threat report and to find out how Massive can help you enjoy the headlines, but stay out of them.

Massive's Media Division publishes timely news and insights based on current events, trends, and actionable cross-industry expertise.