A fortnight ago, Reddit announced one of its employees had been phished, enabling the hacker to access internal documentation, codes and some of its internal systems. According to the release, the employee self-reported the breach and the security team swiftly responded.
What’s noteworthy in this story is the employee’s responsible action, rather than trying to escape responsibility, and the company’s transparent and swift notification. In too many cases, such visible platforms will do all they can to report a breach as quietly and as late as possible, so as to prevent harming their reputation.
Platforms attract phish & phlies
Reddit is a popular social news aggregation and discussion website with few frills and even fewer commercial aspirations. The site is organized into communities called “subreddits,” which cover a wide range of topics, from news and politics to cute animal pictures. Over 430 million (circa 2021) monthly active users submit content, including links, text, and images, which are then voted up or down by other users.
Launched in 2005 by Steve Huffman and Alexis Ohanian, it at first struggled to gain traction but slowly gained popularity and is today one of the most visited such sites on the web—primarily thanks to its informational character. The platform was acquired by media giant Conde Nast (that’s Vogue, The New Yorker, GQ, Vanity Fair, and many, many more to most of you), in 2006, and has often been the subject of controversy and criticism.
One of Reddit biggest points of contention is the behavior of its moderators—one or more for each sub-reddit. These megalo-crats ostensibly enforce community rules and guidelines; however, they too often abuse their power and simply censor content they may disagree with, banning the uploader without thought or accountability. Ironically, the predominance of hate speech and harassment can be unnerving. Additionally, since the site does have a front page, adapted to each user, there have been claims that the algorithms used are biased(as with all other social platforms).
The last time Reddit was hacked was in August 2021; back then the hack was the result of a vulnerability in the site’s security infrastructure. This allowed hackers to access some user data, including email addresses and passwords. Once again, Reddit’s administrators acted quickly to contain the breach and notify affected users. In a statement, Reddit also said it was working with law enforcement to investigate the incident.
While in both cases, the compromised data didn’t include financial information or social security numbers, the breach could still put users at risk of identity theft or other forms of cybercrime. Additionally, the hack could have damaged Reddit’s reputation, but their response was exemplary.
Other phishing attacks using Reddit have been reported, with attackers employing various tactics to trick users into revealing their login credentials. For example, attackers might create a fake login page that looks like the real Reddit login page and then direct users to that page through a phishing email or a malicious link. Notwithstanding, the prevalence of phishing on Reddit is difficult to quantify, primarily due to the platform’s unique structure (almost a throwback to the AOL bulletin boards of yesteryear). Assessment would require an understanding of a sub-reddit’s user base, popularity, and the effectiveness of the site’s security measures.
So far, 2023 has proven prodigious for platform phishing. The makers of League of Legends in January, of Grand Theft Auto just behind, and Black Friday is still well below the horizon. Dark Reading’s numbers are foreboding: 75% of companies surveyed said they’re suffered a successful email phishing hit. On the other hand, their tone is optimistic: 26% believe they’re now prepared to cope with such an attack—nearly half of the estimates four years ago…. so long as we’re not dealing with account takeovers.
Steps to emulate
As social channels go, Reddit is generally considered a relatively phishing-aware platform, particularly compared to some other popular social media sites. It enables two-factor authentication, HTTPS encryption, and email verification for account creation. Additionally, Reddit has a dedicated security team that works to identify and respond to potential security threats, including phishing attacks. The team monitors the site for suspicious activity and takes proactive steps to protect users’ information and accounts.
But, more than this, individual sub-reddits take extra precautions independently, such as forbidding hyperlinks altogether. Others use bots or automated systems to detect and remove phishing links or other malicious content. For example, a bot might scan each new post or comment for links to known phishing websites, and then automatically remove those links and send a warning message to the user who posted them (or ban him/her outright). Many sub-reddits also encourage users to report suspicious activity or potential phishing attempts to the sub-reddit moderators or to Reddit’s support team.
To prevent credential phishing, many companies are moving from 2-factor to multi-factor authentication (although last year’s Uber attack showed this too was insufficient). In addition, companies must advance from a sadly typically CYA approach of diffusing responsibility to a more proactive approach. In Reddit’s case, the corporate culture meant that the reporting transgressor did not face long-term, punitive action (other than having access permissions understandably revoked until the problem was resolved). In fact, the company stated it was “exceedingly grateful the employee, in this case, reported that it happened when they realized it happened.”
Overall, while no online platform can be 100% secure, Reddit’s proactive approach to security and its focus on user privacy and protection make it a relatively safe place for users to engage with others and share information.
Their moderators, on the other hand…