A phishing campaign… from inside the system
Customers started receiving phishing emails.
They appeared to come from a legitimate travel platform.
The timing was precise:
- emails were sent shortly after booking
- content matched real transactions
- customers trusted the source
This was not a random phishing attempt.
It was targeted.
The situation
At first, the assumption was that the attacker had found a sophisticated way into the system.
In reality, the environment contained several basic weaknesses that made access relatively easy.
What was actually happening
Several security issues existed at the same time:
1. Weak network access controls
- WiFi was protected by a weak password
- the environment was located in a shared building
- access could be obtained from outside without physical entry
2. Weak system credentials
- root login was used for SSH
- the root password was simple and predictable
- the same password was reused across systems
3. Database exposure
- database access used the same weak credentials
- permissions were overly broad (
GRANT ALL) - no separation between roles or access levels
Why this mattered
An attacker did not need to exploit complex vulnerabilities.
They only needed to:
- gain network access
- authenticate using weak credentials
- access sensitive data
From there, it was possible to:
- extract customer information
- send targeted phishing emails
- appear legitimate to recipients
The fix
The remediation focused on fundamentals:
1. Secure access
- remove or restrict WiFi access
- enforce stronger authentication
2. Remove shared root access
- disable direct root login
- introduce individual accounts
- enforce proper authentication practices
3. Apply least privilege
- revoke broad database permissions
- create dedicated users with minimal access
- separate responsibilities across roles
The result
After tightening access and permissions:
- unauthorized access paths were eliminated
- phishing attempts stopped
- system exposure was significantly reduced
The lesson
Many security incidents do not require advanced techniques.
They rely on:
- weak passwords
- shared credentials
- overly broad permissions
- lack of access control
These are not complex problems.
But they are high-impact when ignored.
Closing thought
Security is often perceived as a complex discipline.
In practice, many of the most serious risks come from simple weaknesses.
Addressing these fundamentals can prevent incidents that would otherwise appear highly sophisticated.
A real-life experience from Harold Snippe
Infrastructure reliability, Linux engineering and operational security consultant focused on cross-system production issues, operational risk reduction and infrastructure troubleshooting.
Next step
Get clarity on your infrastructure risks before they become expensive
A short conversation is usually enough to see whether hidden risks, unclear priorities or unresolved trade-offs are putting your environment under pressure.