It's not a novel phenomenon, nor is it being carried out in a very sophisticated way, Red Canary's latest threat report notes, yet the trend is growing and miscreants are seeing greater rates of success.
Keen infosec watchers will remember last year that the ransomware attack at MGM Resorts was, per the attacker's own account of the situation, orchestrated by phishing an IT helpdesk worker in just the space of 10 minutes.
The same cybercriminals, tracked by the Scattered Spider moniker, used the same tactics with a spate of other Okta customers too, in what became one of the biggest security sagas of 2023.
Red Canary says these types of attacks are usually pulled off by cybercrims phoning an organization's helpdesk while pretending to be an employee.
They often request changes to be made to identity and access management controls so they can assume control of a targeted organizational user account - tasks that are routinely carried out by helpdesk staff.
Once the attacker registers their own mobile device to the account, enabling them to completely control the authentication chain and cement their insider access, later stages of the operation can take place.
They can identify key targets such as other, more privileged users, steal data from SaaS apps, switch to cryptomining via cloud resources, or embark on destructive attacks.
Researchers continue to see cases of helpdesk staff being imitated by attackers to phish other employees - a role reversal to the aforementioned trend.
Working under the guise of a perceived sense of legitimacy, trustworthiness, and authority, attackers can request access and multi-factor authentication codes from users which can then be used to hijack accounts.
From there, later-stage attacks similar to the ones when the roles are reversed can be carried out.
Red Canary suggests that more thoughtful ways of combating these types of attacks need to be deployed within organizations.
User and staff education programs are already widespread in many organizations, but it's clear the same problems recur and are becoming increasingly taxing.
Requiring employees to verify their identity by sending information that couldn't easily be sourced by remote attackers, such as the serial number of their company-issued computer.
Included in this is personally identifiable information that again couldn't be sourced online.
Establishing a specific passphrase for organization staff, a shared secret, to use to verify they are actually the user behind the screen.
Verify identities via video calls, with helpdesk staff having a visual directory of all staff members to use as a reference.
Ask questions about employees' working behavior such as what apps they had open at a specific time, or what time they logged in that morning.
Verify staff members' identity through a third party such as their manager, who may be in the office with them to verify in person that they made the support request.
As always when it comes to phishing, the first port of call for any organization should be to implement a robust MFA policy.
As the rise in helpdesk phishing attacks shows, they can't be relied upon solely and almost always have some way to circumvent them.
This Cyber News was published on go.theregister.com. Publication date: Fri, 15 Mar 2024 19:13:07 +0000