Spooked by website hacking, ad firm beefs up security, stops using default passwords

Part of the main page of Splash Productions' website after it was defaced by hackers. PHOTO: SPLASH PRODUCTIONS

SINGAPORE - A simple, default password shared by employees was possibly the weak link that allowed hackers to break into advertising and creative agency Splash Productions' website and deface it.

The incident, which happened about five to six years ago, was a wake-up call that spurred the company to drastically improve its cyber security, with a slew of measures to avoid a repeat.

This included getting physical security keys for staff to act as a two-factor authentication (2FA) to log into work devices, enforcing the use of strong passwords, encrypting data on computers, and setting up security software to detect suspicious activities.

The company's creative director, Mr Stanley Yap, told The Straits Times that these investments were necessary.

Even though the firm's website hacking incident did not result in too much damage - there was no financial loss, some lost data was recovered from backups and its clients faced some inconvenience trying to find out about Splash - the company did not want to become an easy target for cyber crooks.

"As a partner and vendor, we should keep our security strong so that we don't become the loophole for hackers to take over our clients' microsites, websites or social media platforms (which we manage)," explained Mr Yap. "It's not just about our work but our clients' platforms as well."

Splash has done work for many government agencies and businesses.

And the password that might have been at the root of the firm's hacking incident? It was likely the default password "admin", which Splash did not change at the time.

BH Global is another company that took steps to protect itself after a security scare.

The supplier of electrical products to the marine and offshore sector had nearly fallen for a sophisticated phishing scam in which crooks posed as a vendor the firm often worked with.

Mr Patrick Lim, group chief operating officer of BH Global, said that about nine to 10 years ago, a regular supplier from China had, out of the blue, requested for advance payment over e-mail.

When questioned by Mr Lim, the "supplier" explained over e-mail that he needed the money earlier because his cash flow was tight.

The crooks were able to produce a legitimate-looking invoice that followed the same formatting for such documents that BH Global was familiar with and even cited products that the company usually bought from the supplier. This made it seem less likely to be a fake request.

Thinking nothing was amiss - Mr Lim also checked the supplier's e-mail address many times and it was correct - he asked his firm's finance department to make the payment of about US$80,000.

But later in the day, the bank processing the payment called to alert BH Global that it was unusual for a supplier from China to have an account in Canada for accepting payments.

Mr Lim realised he had been duped and the payment was cancelled. He later found out the supplier had been hacked and crooks were impersonating him to trick others with fraudulent payment requests.

Determined to prevent history from repeating itself, BH Global realised that in trying to protect itself, it could offer cyber-security services to other companies too.

So about two years after the phishing incident, BH Global set up Athena Dynamics, which was spun out of the firm's group IT department.

One method the firm uses to help minimise hard-to-detect phishing attacks involves crushing any malware hidden in files by converting them into another file format and then converting them back.

Such "detectionless sanitisation" technology, that does not depend on detecting suspicious activity, can be used to "cleanse" e-mail attachments of malware.

Still, Mr Lim said: "Educating staff is also very important - not opening attachments and how to identify wrong e-mail addresses."

Join ST's Telegram channel and get the latest breaking news delivered to you.