Phishing, which uses social engineering to steal user credentials and sensitive data, has been a major threat since the dawn of the internet and continues to plague organizations today, accounting for over 30% of all known breaches. I’m here. And with the massive shift to remote work during the pandemic, hackers are using the chaos and lack of in-person user verification to step up their efforts to steal login credentials.
This brings back vishing, a time-honored method of stealing sensitive information using social engineering on the phone, similar to online phishing. As a result, vishing attacks are on the rise, with 69% of businesses experiencing a vishing attack in 2021, up from 54% in 2020. These attacks are often in the form of job and tech support scams and are very convincing. In August 2020, the FBI, along with his CISA, issued a warning that remote users were being targeted by attackers impersonating the organization’s business number and impersonating the IT service desk.
Vishing to bypass 2FA
One of the most worrying aspects of vishing is that it allows attackers to bypass two-factor authentication (2FA) security measures. 2FA is a popular form of multi-factor authentication that requires a user to provide two pieces of information for him: a password and a one-time code sent via SMS.
The attacker accomplishes this by pretending to be a support representative and asking for the victim’s 2FA code over the phone. Once the code is provided by the victim, the attacker gains full access to their account, potentially compromising their financial and personal information.
Attacker disguised as help desk support
A common example is when an individual receives a pop-up alert that their device has been compromised or is infected with malware and requires professional phone support to resolve the issue. Alternatively, the victim may receive a call from someone who appears to be a tech support person for her provider of reputable software, claiming that malware has been detected on their machine. An attacker masquerades as her IT help her desk clerk at a company and tries to lure a user into downloading her software for remote access. This is the final stage of the scam, checkmate for unsuspecting victims and potentially profitable for attackers.
The attacker impersonating the help desk is clearly working. In July 2020, Twitter experienced a major security breach when hackers used a vishing scam to gain access to high-profile accounts such as Barack Obama, Joe Biden, Jeff Bezos, and Elon Musk. Attackers used these accounts to tweet bitcoin scams and quickly steal more than $100,000. Unlike traditional scams, these attacks target carefully selected individuals by gathering extensive information about them from social media and other public sources. This information is then used to identify employees who are most likely to cooperate and have access to desired resources.
Attacker calls the help desk and pretends to be the end user, a twist
Social engineering attacks are carefully crafted using collected data and can be used to impersonate end users in help desk calls. An experienced attacker can easily obtain answers to security questions from a variety of sources. Especially if you know the end-user posts too much personal information on social media and her web.
According to Microsoft, a known threat group, LAPSUS$, is calling the help desks of targeted organizations in an attempt to convince support personnel to reset privileged account credentials. The group uses previously collected information to have English-speaking callers speak to the help desk. They can answer common recovery prompts such as “first street you lived on” or “mother’s maiden name” from the collected data to convince helpdesk personnel of their authenticity. .
Another attempt to contact the help desk used slack. Electronic Arts has 780 GB of source code downloaded by the hacker, which is also presumed to be his LAPSUS$. The threat actor uses authentication cookies to impersonate an already logged-in employee’s account so that he can access her Slack channel at EA and convince an IT support employee to gain access to the company’s internal network. allowed.
How can the helpdesk know who is who? TRUE call
In the age of vishing, verifying user identities is more important than ever. With the rise of cyber-attacks and social engineering, it is critical that organizations take security measures to protect their employees, protect sensitive information, and prevent unauthorized access.
One effective way to protect against these types of attacks is to implement a secure service desk solution. This allows existing data to be used to validate user accounts, not just knowledge-based authentication. This can be accomplished by sending a one-time code to the mobile phone number associated with the user’s account or by using existing authentication services to verify the caller.
Enforcing user authentication is another important aspect of Specops Secure Service Desk. This ensures that information and password resets are only provided to authorized users. This is essential to protect high security accounts and comply with regulatory requirements. Secure Service Desk eliminates the opportunity to impersonate a user by requiring verification with something the user (or an attacker) has instead of relying solely on information the user (or an attacker) might know can.
In addition to validating and enforcing user authentication, a secure service desk also enables secure reset or unlock of user accounts. This only happens after the user has been successfully verified and can be combined with self-service password reset tools that assist in the account unlocking and password reset process.
With vishing fraud showing no signs of abating, investing in a Specops Secure Service Desk solution can be an important step for organizations looking to protect their employees from the most subtle social engineering attempts. By implementing comprehensive and effective methods for verifying user identities, enforcing user authentication, and resetting or unlocking user accounts, we ensure that potential victims do not actually know who they are. You can rest assured that you will always know if you are calling.
