Click Studios has advised customers to stay vigilant and ensure the validity of any email sent to them, as a bad actor has commenced a phishing attack with a "small number of customers having received emails requesting urgent action."
The phishing attack is requesting customers to download a modified hotfix Moseware.zip file, from a CDN Network not controlled by Click Studios, that now appears to have been taken down. Initial analysis indicates this has a newly modified version of the malformed Moserware.SecretSplitter.dll, that on loading then attempts to use an alternate site to obtain the payload file. Click Studios says they are still analyzing this payload file.
The company also asked customers to not post any Click Studios correspondence on Social Media as it is "expected that the bad actor is actively monitoring [social media], looking for information they can use to their advantage, for related attacks."
According to Click Studios, the emails can be confirmed as not legitimate by:
- The sending email has a strange domain suffix - (note this may change over time)
- Wording - Urgent there is a bug in the last upgrade, you have to download another file to overwrite it
- The download location is a subdomain
- The checksum provided is not legitimate for our software
Stephen Banda, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile security solutions, explains, "People often use social media to post information that is intended to help others know about a problem or a solution. But when it comes to data breaches, it can be a double-edged sword. By sharing screenshots of emails sent by the Click Studios, social media users have fed cybercriminals with rich content that they need to replicate phishing attacks. Unfortunately, the reality is that people use social media to share everything these days and organizations need to realize this risk and put security measures in place to safeguard against this."
Banda continues, "It’s not realistic for a company to block access to social media sites. Not only would employees walk out the door but also organizations use social media all the time to promote their products and services and create brand awareness. For this reason, organizations need a comprehensive set of Secure Access Service Edge (SASE) solutions, which include a cloud access security broker (CASB) with exceptional data protection capabilities. As an example, organizations need advanced optical character recognition (OCR) functionality so that they can scan images in real-time and identify sensitive data. Doing this in real-time enables the redaction of the sensitive data in the image, in this case the ClickStudios email screens, or prevent the post from occurring all together. This functionality becomes even more valuable when considering screenshots or images of personal identifiable information (PII), which could be posted on social media.
He adds, "In the end, it boils down to one question that CISOs really need to answer - ‘how are we protecting our organization’s data wherever it goes - between clouds, users, and devices?'"
Chris Morales, Chief Information Security Officer at Netenrich, a San Jose, Calif.-based Resolution Intelligence provider, says, "The normal process is to provide customer notification prior to public notification. This is how notification is handled in almost all cases. The problem here is not the notification process. It is the users who received the notification posting that publicly on social media and not understanding this is supposed to be time window to address any issues before making it public. Of course, that is going to lead to even more problems."