Special Olympics of New York is a nonprofit organization that is focused on competitive athletes with intellectual disabilities. It provides inclusive opportunities to more than 67,000 children and adults with intellectual disabilities across New York State.
Around this year’s Christmas holiday, it had its email server hacked and later used to launch a phishing campaign against previous donors.
The hackers turned this break into a bigger opportunity aiming to draw off $1,942,49 through phishing attacks on previous donors. The phishing emails drafted by hackers were disguised as alerts for upcoming donation transactions.
They sent a notification to disclose the security incident to the people affected, urging the donors to disregard the last received message and explaining that the hack only affected the “communications system” that stores only contact information and no financial data.
“Friends, Boo! As you may have noticed, our email server was temporarily hacked. We have fixed the problem and sent our sincerest apologies. While donating to Special Olympics NY is always a good idea, we would never ask in such a grinchy way.” wrote Stacey Hengsterman, President & CEO of Special Olympics NY, in a post published on Instagram.
Using this trick, the attackers aimed at tricking the victims into clicking on one of the two embedded hyperlinks that would redirect them to a PDF version of the transaction statement. The hackers induced a sense of emergency by enabling a short time frame (two hours) to make the Special Olympics New York donors click on one of the two embedded hyperlinks.
The phishing email used a Constant Contact tracking URL that redirected to the attackers’ landing page. This page has since been taken down but was most likely used to steal donors’ credit card details.
Casey Vattimo, the SVP of External Relations for Special Olympics New York, also said in a statement to the media that donors can now make donations securely as the issue has now been fixed.
Secure Your Organization’s Mind with Securemind.se