Lake Worth is much like any other community working through the daily operations. Every day was nearly the same as the day before. Unfortunately, there was a power outage on May 20, 2018. As part of the protocol, an alert was sent to the residents. Unfortunately, along with the alert was a message the power outage was due to zombie activity. This was sent at 1:141a-1:45a on Sunday, May 20, 2018. This enduring message was sent to approximately 7,880 residents.
The message was intended to be cute, however, this was indicative of a much larger problem. The city's notification system had been compromised, and not by 'extreme zombie activity'.
On the surface, this appears to take the form of an old-school attack, perpetrated not for profit, but for notoriety. This would work to better the attacker(s) credibility among peers. This attack and compromise are worthy of a much deeper analysis. This clearly is indicative of a significant vulnerability in the system.
What makes this compromise worse was the second event of this nature in a week. The other involved the online utility payment systems.
In the subject case, a city's employee email was compromised and used to access the system. The attack point was verified. To get this point, a phishing attack was probably used.
Lessons Hopefully Learned
Granted this was a funny message that was sent. Certainly all involved are glad this was not a message destructive in nature. If the attackers were to have been malicious, the outcome could have been much worse. If the message would have been further adulterated to note a hurricane or tornado was headed for the municipality within an hour and everyone was required to leave now, there would have been mass hysteria and potential for auto accidents, in the least.
The compromise is indicative of the underlying issue, however. With the successful phishing attack, the attacker knows there is and will be the opportunity for further successful attacks. The municipality truly needs to step up its employee training to more than the once a year, mandatory, which bores most of the staff, to periodic, more engaging training regiments. Perhaps even an internal phishing campaign would be relevant to gauge the level of success the internal training was reaching towards.
Alanez, T. (2018, May 21). South florida city warns residents of extreme zombie activity. Retrieved from http://www.sun-sentinel.com/local/palm-beach/fl-pn-zombie-alert-lake-worth-20180521-story.html
Capozzi, J. (2018, October 10). Lake worth 'zombie alert' hacker used a city email to breach system. Retrieved from https://www.mypalmbeacpost.com/news/lake-worth-zombie-alert-hacker-used-city-email-breach-system/
Palm Beach Post. (2018, May 23). national, social media has way too much fun with lake worth's 'zombie alert'. Retrieved from https://www.palmbeachpost.com/news/new-nation-social-media-has-way-too-much-fun-with-lake-worth-zombie-alert/
Rodriguez, D. (2018, May 22). A fake 'zombie outbreak' alert alarms lake worth residents. Retrieved from https://www.tampabay.com/news/A-fake-Zombie-Outbreak-alert-alarms-Lake-Worth-residents-_168461999
Ross, M. (2018, May 22). Lake worth falsely sends out 'zombie' alert during power outage. Retrieved from https://www.palmbeachpost.com/news/breaking-news-breaking-lake-worth-falsely-sends-out-zombie-alert-during-power-outage/
Shatzman, M. (2018, May 22). Where did the zombies come from in lake worth? Retrieved from http://www.sun-sentinel.com/local/palm-beach/fl-pn-lakeworth-zombie-alert-05222018-story.html
Sputnik International. (2018, May 23). Florida apocol-lapse: US city's residents mistakenly warned of zombie attack. Retrieved from https://sputniknews.com/viral/201805231064710940-zombie-alert-warning-message/
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!