As the world tries to reboot itself, cyber criminals are pouring into the cracks created by the sudden glut of home workers.
COVID phishing has exploded, VPNs and remote working tools are being hammered for exploits and misconfigurations and now, even the phone scammers are getting in on the act.
First-hand experience of just such a phishing attack
This was evident last week, when one of the Censornet team was targeted by just such an attack while working at home.
Coincidentally, while waiting for a call back from a Vodafone engineer about a broadband issue, ‘Jack from Sky’ phoned, purportedly to talk about the same issue. When challenged about why he was calling on behalf of Sky and not Vodafone, ‘Jack’ seamlessly segued, stating himself to be an Openreach engineer, the arm of BT that maintains a lot of the UK’s telecoms infrastructure.
A little suspicious, but nonetheless happy to move on to the problem, our co-worker was guided on to his laptop by ‘Jack’ – who dodged and weaved around a variety of questions before asking for a tab to be opened to test upload speed.
Having worked with a true Vodafone engineer a few days previously, alarm bells started ringing when the web address, which was read out over the phone to be typed in to the address bar, was nothing like the one which connected to the legitimate router (see below).
Instead, the URL was hubhelp.site123.me, where alarm bells became so loud they were impossible to ignore.
It was when ‘Jack’ suggested a click on the ‘server 2’ button to further diagnose the problem that the real goal of the scam became clear. It lead to the direct download of a remote access tool (see below), which if installed would have given the phoney engineer full control of the laptop, including visibility of keystrokes and mouse movements.
When asked about the need for such a tool just to diagnose a broadband issue, ‘Jack’ made his excuses and left, however, not without protesting it would ‘help with the diagnosis’ a number of times.
What does this mean for remote workers?
First, they should always be on their guard. Working outside of the office leaves employees isolated and open to attack.
Scammers know this, have no morals and are always looking to exploit bad situations to their advantage. For this reason, any contact which hasn’t been directly instigated and requires access to technical platforms should be questioned.
For security teams, this means educating the workforce on these types of attacks. Employees may not know they exist and, feeling ‘safe’ at home, will likely be caught off-guard.
This kind of education is iterative so continual learning is the best way to teach the necessary mind-set. ‘Jack’ seemingly had a well prepared script, so it is vital employees are taught to question everything to deal with professional social engineers.
From a technological standpoint, Web Security with a tailored list of policies would not only block access to the fake ‘customer service’ page, but could also be configured to warn or block at the point of downloading certain (dangerous) file types.
MFA would also help by preventing the attacker from being able to reuse stolen login credentials, making subsequent account logins impossible. In a world where most enterprise information is now accessed through SaaS solutions, session specific OTPs can significantly reduce risk as ‘Jack’ would not have been able to use captured credentials to effect unauthorized account access.
CASB could also be a useful line of defence. If the attacker had managed to install a remote access tool and could re-use credentials to log on as a legitimate employee, it would prevent unusual anomalous movements of data out of collaboration or cloud storage applications.
Criminals are finding many creative ways to abuse the world’s newly disintegrated perimeter. For security teams, this presents a user visibility and education challenge which has significantly increased risk. Only by combining human and technological mitigation, can an organisation be built which is resilient to the contemporary challenges brought about by lockdown.
Click here for more information, help and advice on securing your remote workforce, including checklists, webinars and eBooks.