Software Integrity Blog

 

Santa gets phished: A tale of holiday hacking

When the elves at Santa’s Workshop receive a complaint that children are receiving Bitcoin ransom emails from Santa, they discover that they’ve been hacked.

Santa gets phished: A tale of holiday hacking

This is a work of fiction. Names, characters, businesses, places, events, locales, and incidents are either the products of the author’s imagination or used in a fictitious manner. Any resemblance to actual persons or events is purely coincidental.

Santa’s Workshop, a global toy manufacturer headquartered in the North Pole, employs 85,851 elves. While most of its output takes place in December, the workforce is employed 364 days a year to design, build, and wrap the 2 billion toys required for Christmas morning.

The first sign of trouble

The complaints department at Santa’s Workshop prides itself on its positive customer satisfaction rating. And it’s rare for the department to receive calls outside the busy December period. So when customer service representative Elf Grumbles received a call from a worried parent in November, it triggered concern.

Elf Bernard, head of Santa’s Workshop, explained: “The moment Elf Grumbles told me that a parent had called, I knew we had to handle the matter quickly. Little Johnny had been crying and couldn’t sleep, but after much cajoling, he confessed to his father that he was being held to ransom—by Santa! Johnny had received an email telling him that Santa had observed him misbehaving and would move him from the ‘nice’ list to the ‘naughty’ list unless Johnny paid Santa $1,400 in Bitcoin.”

The email demanded that Johnny pay Santa $1,400 in Bitcoin.

“Johnny’s father was incensed but, after a glass of something strong to quell his anger, realized that things might not be irreversible. So he called the help line to see if he could get Santa to rethink Johnny’s sentence or negotiate a more reasonable fee.”

Identifying the source of compromise

Elf Bernard was unsettled when he heard about the call. Someone had accessed the Naughty or Nice database and was impersonating Santa. Elf Bernard called Elf Agent X, head of security, to inform him of the development and his fear of a data breach. To his surprise, Elf Agent X responded that he suspected a possible source of the breach.

Elf Bernard continues: “Elf Agent X told me that earlier in the year, Elf Glitterpants had submitted a help desk ticket when his desktop suddenly stopped working.” On inspection, Elf Geek from the IT department determined that Elf Glitterpants had received an email forwarded by Elf Wally, from the Wrapping Department. The email included a link offering a 75% discount code on glitter bows, so Elf Glitterpants clicked it. After he filled out his personal information on the website, he received a pop-up requesting that he enter his username and password to update Flash and print the voucher. He did so and ran the file that downloaded. Within seconds, his screen went blank, and he called the help desk and submitted the request ticket.

Elf Glitterpants wanted an email discount code, but he got malware instead.

Elf Geek restored the desktop, ran a few scans, and determined that all was good. Per procedure, he notified Elf Agent X of the incident. Elf Agent X accepted Elf Geek’s assurance that the machine was clean. At the time, he recommended that Elf Glitterpants and Elf Wally attend a security training session. But looking back, Elf Agent X said he should have realized the significance of the website requesting Elf Glitterpants’ username and password.

Scanning and securing the system

Elf Bernard and Elf Agent X set to work. They reviewed all user roles and authorizations and performed a full scan of their systems. The scan identified 100,867 unpatched vulnerabilities, with the threats triaged and prioritized.

“Researchers are discovering vulnerabilities in software all the time, with more than 18,000 found this year alone. That’s a lot of flawed code, so the fact that Santa’s Workshop had 100,867 within our infrastructure wasn’t tremendously surprising for an enterprise of our size,” explained Elf Agent X. “That said, much of our activity still relies on a combination of traditional magic-powered and manual processes. This situation proves that threat actors can compromise any business.”

The intruder entered the system through an OS vulnerability.

The team got to work remediating the most critical issues first. Elf Agent X found an unpatched vulnerability (CVE-2018-ELF) in the operating system on all the elves’ desktops. There is a known exploit for this vulnerability, which was how the intruder entered the system before pivoting across the infrastructure to identify where to focus further efforts. “We’ve now patched this vulnerability, which will prevent threat actors from accessing the database this way,” Elf Agent X confirmed.

Another unpatched vulnerability with a known exploit, called “Santa’s Got A Brand New Bag,” could have allowed a threat actor to access the paint mixer and tamper with the colors and chemicals—a potential health hazard for the elves in the Color Workshop. The security team patched the paint-mixing software immediately.

Patch management to the rescue

Elf Bernard concludes, “We are very grateful to Elf Agent X and his security team. Not only did they help us secure our critical customer database, but they also prevented a major incident within the Workshop. We were able to report to the Big Man that we had secured all key systems and implemented a patch management program. I know a lot of people say Santa is magical, but Elf Agent X did the hard work this year making sure all the nice girls and boys received presents this Christmas.”