• by Ray Schultz , May 7, 2019

Lucy Security Inc. says its Simulated Phishing template design was used in a recent data breach of Wipro, an IT outsourcing firm based in India.

Hackers “downloaded and copied a simulated phishing template, as part of their attack, using their own code and servers to deliver the attacks,” states Colin Bastable, CEO of Lucy Security.

Bastable adds, however, that “there is no evidence that hackers used Lucy software, other than using the template design.”

The templates are designed so that “legitimate users can expose their co-workers and clients to realistic but simulated phishing and social engineering attacks,” Bastable notes.

He continues that “clearly we would prefer that it was not used in this fashion."

Lucy was alerted to use of its template by a researcher at an IT Security vendor, and claims that an independent analyst has confirmed that its software was not used.

The Wipro breach was first reported on April 15 by Krebs on Security, the company says. Wipro’s systems allegedly were used to launch cyber attacks against the company’s customers.

Krebs wrote that it had “heard independently from two trusted sources that Wipro — India’s third-largest IT outsourcing company — was dealing with a multi-month intrusion from an assumed state-sponsored attacker.”

However, analysis by Flashpoint determined that the motive was mostly likely gift fraud, and that the attacks were probably not state sponsored, Forbes reports.

Lucy Security founder Oliver Münchow states: “This breach demonstrates the need for training; organizations can’t rely solely on malware detection software or firewalls or hardware defenses.”