Phishing, the theft of users' credentials or sensitive data using social engineering, has been a significant threat since the early days of the internet and continues to plague organizations, accounting for more than 30% of all known breaches. With the ongoing trend to remote working during and post pandemic, hackers have increased their efforts to steal login credentials as they take advantage of the chaos and lack of in-person user verification.
This has led to the revival of the old-school technique of Vishing, which, like phishing online, involves using social engineering over the phone to steal sensitive information. Vishing attacks have been on the rise as a result, with 69% of companies experiencing them in 2021, up from 54% in 2020. These attacks often take the form of job or tech support scams and can be incredibly convincing. In August 2020, the FBI along with the CISA issued a warning regarding remote users being targeted by attackers spoofing organizations' business numbers and impersonating the IT service desk.
One of the most concerning aspects of vishing is the attackers' ability to bypass two-factor authentication (2FA) security measures. 2FA is a popular form of multi-factor authentication that requires users to provide two types of information: a password and a one-time code sent via SMS. Attackers achieve this by impersonating a support representative and requesting the victim's 2FA code over the phone. If the victim provides the code, the attacker can gain full access to their account, potentially leading to financial or personal information being compromised.
A common instance is when individuals receive a pop-up alert claiming that their device has been breached or infected with malware and that professional phone support is required to fix the problem. Alternatively, victims may receive a call from an alleged tech support representative from a reputable software provider, claiming that malware has been detected on their machine. The attacker will try to convince the user to download remote access software under the pretext of corporate IT help desk representatives. This is the final phase of the scam, after which it's checkmate for the unsuspecting victims and a potential payday for the attackers.
Attackers impersonating the help desk is successful. In July 2020, Twitter experienced a major security breach when hackers used a vishing scam to successfully access dozens of high-profile accounts, including those of Barack Obama, Joe Biden, Jeff Bezos, and Elon Musk. The attackers used these accounts to tweet a bitcoin scam, resulting in the swift theft of over US$100,000. Unlike traditional scams, these attacks target carefully selected individuals by gathering extensive information about them from social media and other public sources. This information is then used to identify employees who are most likely to cooperate and have access to the desired resources, at which point attackers are primed and ready to wreak havoc.
Social engineering attacks are carefully fabricated with collected data and can be used to impersonate an end-user on a call to the help desk. An experienced attacker can easily acquire answers to security questions from various sources, especially knowing end-users put too much personal information on social media and the web.
Microsoft said that LAPSUS$, a known threat group, calls on a targeted organization's help desk and attempts to convince support personnel to reset a privileged account's credentials. The group would use previously gathered information, have an English-speaking caller speak with the help desk. They would be able to answer common recovery prompts such as “The first street you lived on" or "Mother's maiden name" from data collected to convince help desk personnel of authenticity.
Lapsus$ or LAPSUS$ and classified by Microsoft as DEV-0537, is an international extortion-focused hacker group known for its various cyberattacks against companies and government agencies. Unlike most hacker groups, Lapsus$ is known for using the messaging app Telegram for communications to the public, including recruitment and posting sensitive data from their victims, although the group's usage of Telegram has diminished. The composition of the group has also been noted, with at least two of the members being teenagers. Lapsus$' attack vector is through social engineering; once the group has gained the credentials to a privileged employee within the target organization, the group then attempts to obtain sensitive data through a variety of means, including using remote desktop tools.
In another attempt to reach the help desk, slack was used. Electronic Arts had 780GB of source code downloaded by hackers presumed to also be LAPSUS$. The threat actors used the authentication cookies to impersonate an already-logged-in employee's account and access EA's Slack channel, then convinced an IT support employee into granting them access to the company's internal network.
Verifying user identity in the Vishing age is more important than ever. With the rise of cyber-attacks and social engineering, it's crucial for organizations to have security measures in place to safeguard their employees, protect their sensitive information, and prevent unauthorized access.
One effective way to safeguard against these types of attacks is to implement a secure service desk solution, which allows for the verification of user accounts with existing data beyond just knowledge-based authentication. This can be achieved by sending a one-time code to the mobile number associated with the user's account or using existing authentication services to verify callers. This ensures that information and password resets are only offered to authorized users, which is essential for protecting high-security accounts and adhering to regulatory requirements. With a secure service desk, you can remove the opportunity for user impersonation by requiring verification with something the user has and not just relying on something the user or an attacker may have already collected.
In addition to verifying and enforcing user authentication, a secure service desk also allows for the secure reset or unlocking of user accounts. This is done only after the user has been successfully verified and can be combined with a self-service password reset tool to assist with account unlocks and the password reset process.
Weekly Cyber Intelligence Briefings:
• Reporting: https://www. redskyalliance. org/
• Website: https://www. wapacklabs. com/
• LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
Comments