A phishing campaign… from inside the system
Customers started receiving phishing emails.
They appeared to come from a legitimate travel platform.
The timing was precise:
- emails were sent shortly after booking
- content matched real transactions
- customers trusted the source
This was not a random phishing attempt.
It was targeted.
---
The situation
At first, the assumption was that the attacker had found a sophisticated way into the system.
In reality, the environment contained several basic weaknesses that made access relatively easy.
---
What was actually happening
Several security issues existed at the same time:
1. Weak network access controls
- WiFi was protected by a weak password
- the environment was located in a shared building
- access could be obtained from outside without physical entry
---
2. Weak system credentials
- root login was used for SSH
- the root password was simple and predictable
- the same password was reused across systems
---
3. Database exposure
- database access used the same weak credentials
- permissions were overly broad (
GRANT ALL) - no separation between roles or access levels
---
Why this mattered
An attacker did not need to exploit complex vulnerabilities.
They only needed to:
- gain network access
- authenticate using weak credentials
- access sensitive data
From there, it was possible to:
- extract customer information
- send targeted phishing emails
- appear legitimate to recipients
---
The fix
The remediation focused on fundamentals:
1. Secure access
- remove or restrict WiFi access
- enforce stronger authentication
---
2. Remove shared root access
- disable direct root login
- introduce individual accounts
- enforce proper authentication practices
---
3. Apply least privilege
- revoke broad database permissions
- create dedicated users with minimal access
- separate responsibilities across roles
---
The result
After tightening access and permissions:
- unauthorized access paths were eliminated
- phishing attempts stopped
- system exposure was significantly reduced
---
The lesson
Many security incidents do not require advanced techniques.
They rely on:
- weak passwords
- shared credentials
- overly broad permissions
- lack of access control
These are not complex problems.
But they are high-impact when ignored.
---
Closing thought
Security is often perceived as a complex discipline.
In practice, many of the most serious risks come from simple weaknesses.
Addressing these fundamentals can prevent incidents that would otherwise appear highly sophisticated.