Phishing Attacks in the Entertainment Industry

The $2 Trillion entertainment industry, a broad category which includes movies, TV shows, games, and music, is a tantalizing target to a motley crew of criminals. This includes pirates seeking to steal the latest releases or hold projects for ransom. But there are also unknown operators in the mix that want to embarrass or simply create havoc.

In many ways, its global scale leaves it particularly vulnerable. Unlike financial institutions that have strict regulations and are accustomed to constantly implementing security measures, the entertainment industry tends to be more lax. Larger production houses in the US often deal with a myriad of vendors at once. These smaller companies usually don’t have the manpower or budget to deal with serious cybersecurity issues. Some, like special effects houses, are often based overseas, making monitoring and compliance even more difficult.

Why Phish Entertainment Industry Targets?

The reach of the entertainment industry cannot be underestimated. Regardless of our cultural differences, most modern societies enjoy many of the same movies, music, games, and TV shows or have a pool of their own. These digital assets become currency in themselves; pirates often trade goods or share amongst elite groups. Accomplishing a breach is often a badge of honor.

These pilfered files can also become strong leverage. Ransomware, the holding hostage of computers or assets for a fee, first made headlines when a Hollywood hospital was locked out of their computer system and ultimately paid $15,000 to restore access.

Now, these same extortion methods are being used on Hollywood entertainment companies. In 2017, Disney and Netflix were both hit by separate ransomware attacks that threatened to pre-release projects unless a ransom was paid. (Netflix refused, and “Orange is the New Black” episodes appeared online early; Disney did not comment on their solution but the latest “Pirates of the Caribbean” movie did not.)

There’s also the lure of revealing secrets (and possibly compromising images) of the famous and powerful. The Sony Pictures hack that occurred in 2014 ended up releasing a trove of emails that exposed candid internal communications as well as the pay gap between its male and female stars. That same year, the so-called “celebgate” hacks targeted personal celebrity iCloud accounts and resulted in 500 nude images of female stars posted online for all to gawk at.

Then there’s simply the joy of disruption. One hacker group called PoodleCorp boasted about shutting down the popular Pokemon Go game soon after its launch in 2016. “Just was a lil test, we will do something on a larger scale soon,” they tweeted ominously.

How are Entertainment Industry Targets Phished?

Entertainment industry targets are often phished in the same way other industries are breached: via a simple email communication. These can be targeted attacks focused on third-party vendors – the Netflix hack was credited to a phish of Larsen Studios, a smaller post=production facility in Los Angeles.

The message could involve asking users to reset a password and then scraping the info to hack the account – the celebgate affair was initiated by an account called “appleprivacysecurity@gmail” that sent emails and iMessages containing a rogue link.

Above: One of dozens of email templates available for free use on SecurityIQ

These could also be what look like official or unofficial communications to or from higher ups, sometimes referred to as “whaling.” The New York Times reported a hacker posing as an executive from Interscope Records who emailed two management companies connected to Lady Gaga asking for tracks from her unreleased album, which they unwittingly sent.

Of course, even the random “free pizza” coupon that isn’t caught by the spam filter is a potential opening, particularly if it’s sent to a hungry intern.

Above: Create your own custom phishing email templates for free on SecurityIQ

Three Steps for Preventing Entertainment Industry Phishing

Education & Training

One of the most important steps you can take is making sure everyone in the company is aware of the dangers of phishing. This can begin with educational courses that also include video and interactive elements that discuss the latest threats.

InfoSec Institute has created a program called SecurityIQ, which has a strong educational component called AwareEd. AwareEd contains short, informative, and fun learning modules that allow your staff to quickly learn how to keep your company protected. These courses can be customized and administered remotely. Once your team is enrolled in AwareEd, you can monitor their progress in the control panel.

Above: A selection of AwareEd interactive modules through SecurityIQ

There are a wide variety of employees in the entertainment industry, from executive producers to gophers to digital effects processors. The AwareEd module can be easily modified to address the differing backgrounds and skill levels so that everyone is on the same page.

Simulation

Hand in hand with education comes real-world training in the form of drills. These can be created and administered in the other component of Security IQ, called PhishSim.

PhishSim is an automated phishing simulation program that lets you send to everyone in your company address book. This list should always include higher ups like directors, producers, and creatives.

Fake phishing emails can be created to represent a “whaling” attack; a short angry message from a director or producer can possibly fool underlings. There are also a variety of phishing templates that emulate everything from password resets to pizza coupons.

Those recipients that accidentally click on a link, instead of actually being phished are sent to a SecurityIQ landing page (which can be customized) informing them of their error.

It’s a good idea to use AwareEd and PhishSim in tandem. You can drill in advance of implementation of a course, and those that clicked could be required to enroll. These phishing drills shouldn’t be announced, as it will reduce their effectiveness.

Reporting

One of the most important safeguards an entertainment industry company can put in place is proper reporting procedures in case of a breach. If you have an IT person or department, they should likely be one of the first to be notified. Company policy should dictate how to discuss the breach with clients whose assets may be affected.

Depending on the seriousness of the situation, entertainment industry companies may want to alert the local police (the LAPD has a Computer Crimes Unit), as well as the US Computer Emergency Readiness Team, or US CERT. They may also want to contact the MPAA, which inspects facilities for security and is trying to create standardization.

Security Awareness

Conclusion

The entertainment industry is a huge sector with a lot of vulnerabilities through its vendors as well as its own staff. More vigilance needs to occur at every level, in every department, at every office. Security needs to extend to offshore companies as well as the personal accounts of its celebrities. Passwords should be difficult to crack and not be shared amongst users or across different platforms.

These tips and more information can be found for you and your employees at SecurityIQ. When you join today for free, you can use PhishSim to send a limited number of campaigns to a finite amount of learners; you have similar limited capabilities with AwareEd. Right now we are offering a free month of unlimited use, so join today and keep your valuable assets protected.

Resources:

http://www.latimes.com/business/hollywood/la-fi-ct-hacking-disney-netflix-20170523-story.html

http://www.latimes.com/local/lanow/la-me-ln-hacking-prison-sentence-celebrities-email-20160721-snap-story.html

http://www.slashfilm.com/heres-everything-we-know-about-the-netflix-hack-so-far/

https://www.nytimes.com/2017/05/07/technology/hackers-exploit-celebrities-vendor-chains.html?_r=3

http://www.darkreading.com/endpoint/91–of-cyberattacks-start-with-a-phishing-email/d/d-id/1327704

https://www.vice.com/en_nz/article/pp4qkg/who-hacked-sony-pictures-two-years-later-no-ones-really-sure

http://www.latimes.com/local/lanow/la-me-ln-hacking-prison-sentence-celebrities-email-20160721-snap-story.html

http://www.elegantthought.com/mpaa/facility-security-program.html

Be Safe

Section Guide

Stephen
Moramarco

View more articles from Stephen

SecurityIQ has published a number of videos on social engineering and phishing. You can sign up for a free account to browse their resources and test how phishing savvy you really are.

Sign up for FREE!