A type of attack that is becoming increasingly common is where a cyber criminal calls up an organisation’s helpdesk and pretends to be a staff member who needs help getting access to their account.
The object of this activity is to get hold of sensitive information, reset passwords, and to change multi-factor authentication (MFA) — adding new actor-controlled devices or changing to weaker forms such as text messages.
These cyber criminals use a range of tricks to sound more convincing. For example, they may say they need it done urgently, they might appeal to authority (“Your boss will be angry if you don’t sort this out for me”), try to arouse sympathy (tactics include having a baby crying in background or claiming to be in a bad situation).
In many cases they will use publicly available information (for example employee details from LinkedIn) or information from data breaches to make their impersonation more believable.
If the helpdesk staff cooperate, these attackers can try to use the access they gain to a staff member’s account to take malicious actions such as downloading sensitive files or deploying ransomware.
These techniques have been observed globally, including being used by hacker groups such as Scattered Spider.
Scattered Spider targets IT helpdesks and uses the access for data extortion and ransomware. Its attacks often involve social engineering techniques to learn how to get password resets from helpdesks, and phone calls to employees to gain the information required to successfully obtain the reset. The group may also scour social media sites for the personal information they need.
This group has previously targeted aviation, insurance, and retail sectors. Future attacks by similar groups are likely to include other sectors.
NCSC is aware of similar techniques targeting helpdesks having been used to infiltrate a number of New Zealand organisations.
“Helpdesks want to be helpful, but they also need to bear in mind that not everyone that calls them desperate for a password reset is who they say they are,” says the NCSC’s Response and Investigations Team Lead Tom Roberts.
“Help desk staff are an important line of defence against cyber attacks and they need to be supported to do their job, which will be to remain wary, and to require adequate verification before they can assist with password or MFA changes.”
What can businesses do to reduce risk?
Helpdesk processes
Refine helpdesks processes including clear criteria for what information the helpdesk staff need before revealing sensitive information, resetting passwords, or changing security features such as MFA. This should include what to do if the caller cannot sufficiently verify themselves.
Training
Regular training for your helpdesks/call centres on processes and identifying suspicious behaviour. This should ideally be multiple times a year.
Cyber security awareness in your organisation
Supply chain risk
Consider your supply chain risks including what access your organisation gives to managed service providers (MSPs) that may be targeted.
Supply chain cyber security: In safe hands
Multi-factor authentication and verification
Require phishing resistant multi-factor authentication and verification for critical systems and policies around authentication and authorisation to change it.
Multi-factor authentication and verification
Centralised logging
Logging and alerting on suspicious login activity or exfiltration.
Implement and test backups
In case the attacker does deploy ransomware, implement and test backups so that you can recover.