Among other things, 2020 reminded us how fundamental cybersecurity is to business continuity.
The massive transition to remote working contributed to our anxiety. The security challenges as millions of workers moved from on-site to a remote working model were all too real, and cybercriminals took full advantage. From privacy and data security concerns surrounding video conferencing tools, to targeted attacks on remote employees with COVID-19 themed cybercrime (including malicious email threats like phishing, ransomware and Business Email Compromise), 2020 brought into focus just how agile and callous our adversaries can be.
But as we enter 2021, it’s key to remember the transition to new environments and secure ways of working is still ongoing. Experts like Gartner are identifying a hybrid work model as a fast emerging post-pandemic trend (a flexible strategy enabling employees to work from different types of worksites) – a trend which companies like Google have already adopted. Many other organizations, on the other hand, are continuing to work remotely. While the initial exodus to remote work occurred early last year, organizations are, however, “still evolving” in their responses to keep their data and employees safe. Reports continue to emerge of cyber-attacks successfully exploiting security gaps in remote working policies. Ann Johnson, Corporate Vice President of Security, Compliance and Identity Business Development at Microsoft, warns that businesses need to be prepared to face evolving, opportunistic cyber threats:
“More than 42% of organizations tell us that their workforce will remain remote well into 2021… As security threats become more daunting and many organizations remain in this remote work environment, your organization…must reach a state where your core operations and services will not be disrupted by unexpected changes…Now, whether it’s the year 2020, or beyond, we can expect that cybersecurity challenges will continue to evolve just as they always have. We can expect cybercriminals to continue to be opportunistic, exploiting current news headlines and trends in their socially engineered attacks.”
Below, I highlight two recent cyber-attacks that are exploiting some of the security challenges associated with a more dispersed workforce. While not completely “new”, these attacks are proof that room for improvement continues to exist in enhancing our remote working cyber policies. Share these with your teams as examples of the current ways businesses are getting compromised, and as reminders of the need to keep cybersecurity hygiene up to scratch as they continue working remotely.
1) Vishing attacks exploiting a lack of user access management
Heralded as phishing’s “touchier, feelier, voice-based cousin”, vishing or voice phishing is a social engineering attack where attackers impersonate a trusted authority during a voice call to persuade their targets into revealing confidential data. Experts say these scams are getting smarter, leveraging our trust of the human voice to further exploit the social engineering techniques of traditional email or fake website phishing scams.
The United States’ Federal Bureau of Investigation (FBI) issued an advisory in January this year to warn about a surge in vishing attacks attempting to steal corporate accounts and credentials for network access and privilege escalation from employees worldwide. Interestingly, the FBI’s advisory began with a note on how these attacks leverage security gaps surrounding user access management, triggered by changing working conditions during the pandemic:
"During COVID-19 shelter-in-place and social distancing orders, many companies had to quickly adapt to changing environments and technology," the advisory reads. "With these restrictions, network access and privilege escalation may not be fully monitored. As more tools to automate services are implemented on company’s networks, the ability to keep track of who has access to different points on the network, and what type of access they have, will become more difficult to navigate."
The advisory added that the cybercriminals behind these attacks are using Voice over Internet Protocol (VoIP) platforms to trick targeted employees into logging into a phishing webpage to harvest their usernames and passwords. In many cases, once they gain access to the company's network, these attackers gained greater network access than expected, allowing them to escalate privileges using the compromised employees' accounts. This permitted them to gain further access into the infiltrated networks, enabling them to generate significant financial damage.
"In one instance, the cybercriminals found an employee via the company’s chatroom, and convinced the individual to log into the fake VPN page operated by the cybercriminals. The actors used these credentials to log into the company’s VPN and performed reconnaissance to locate someone with higher privileges. The cybercriminals were looking for employees who could perform username and e-mail changes and found an employee through a cloud-based payroll service. The cybercriminals used a chatroom messaging service to contact and phish this employee’s login credentials," the FBI stated.
It's easy to see how a remote working environment exacerbates the likelihood of such scams being successful. Employees today are accessing data & applications from multiple devices across a range of locations worldwide. Unfortunately, in this environment, users can be tricked and accounts & devices compromised, making it difficult to always know whether (human or automated) requests to gain access to networks are legitimate. In addition, as the FBI highlighted above, ensuring that the right people have the right level of access, to the right data, in the right context becomes a challenge for most organizations.
It's no surprise that there have been multiple vishing attacks since the advent of the pandemic. In August 2020, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory, warning remote workers of another vishing campaign targeting companies from several American industry sectors. Plus, the Twitter hack that occurred last year via a phone spear phishing attack has also been classified by some reports as a vishing scam. In this case, a fraudster hacked into several high-profile Twitter accounts (including those belonging to Elon Musk, Barack Obama & Joe Biden) by convincing a Twitter employee that he worked in the company’s IT department, and tricked Twitter users into sending him cryptocurrency. Again, hackers took advantage of the lack of proper measures surrounding user access, especially those involving high-profile Twitter accounts. In an ideal scenario, it wouldn’t be as simple for the hacker to gain access to these accounts via any employee – Twitter would have had a designated list of limited employees who had access to these accounts. And even if the hacker managed to successfully trick someone on that designated list, any unusual use of that access would have triggered alarms.
To stay protected against vishing scams, the FBI recommends the following measures:
- Implement multi-factor authentication (MFA) for accessing employees’ accounts in order to minimize the chances of an initial compromise.
- When new employees are hired, network access should be granted on a least privilege scale. Periodic review of this network access for all employees can significantly reduce the risk of compromise of vulnerable and/or weak spots within the network.
- Actively scanning and monitoring for unauthorized access or modifications can help detect a possible compromise in order to prevent or minimize the loss of data.
- Network segmentation should be implemented to break up one large network into multiple smaller networks which allows administrators to control the flow of network traffic.
- Administrators should be issued two accounts: one account with admin privileges to make system changes and the other account used for email, deploying updates, and generating reports.
If you haven’t already, I also recommend exploring security frameworks like Zero Trust to overcome security challenges related to user access management. You can read more about how it works here.
2) Remote access/ tech support scams exploiting IT disruptions
The Australian Cyber Security Centre (ACSC) warned at the start of this year that scammers purporting to be from the agency were calling and emailing Australians and attempting to trick them into installing malicious software on personal devices.
“Cybercriminals are attempting to take advantage by using the ACSC name to send emails to individuals containing a malicious link requesting they download ‘Antivirus’ software. If clicked on, the link downloads and installs malicious software to the individual’s computer,” the ACSC stated.
Reports also stated criminals impersonating the ACSC were calling people using a spoofed Australian phone number. “Again, the scammers claim to be from the ACSC and request that victims download remote access tools (RATs) such as TeamViewer and AnyDesk to help resolve alleged malware issues. If users run the RAT on their devices, the scammers ask them to open a web browser and access their online banking services, to reveal sensitive financial information,” stated an itNews article featuring the scam.
Attacks of this nature are similar to “tech support scams”, as defined by the US Federal Trade Commission (FTC), or what the Australian Competition and Consumer Commission (ACCC) terms “remote access scams”.
“Tech support scammers may call and pretend to be a computer technician from a well-known company. They say they’ve found a problem with your computer. They often ask you to give them remote access to your computer and then pretend to run a diagnostic test. Then they try to make you pay to fix a problem that doesn’t exist,” says the FTC. The agency also states on its website that in 2019, it received more than 100,000 reports about tech support scams.
In this case, cybercriminals are exploiting the well-established and trusted reputation of the ACSC to trick users. Receiving notifications or calls related to their computer’s security from the national cyber security agency, while concerning, aren’t likely to raise too much suspicion among users. They may instead be motivated to do the scammers’ bidding immediately without pausing to think of the legitimacy of the request. Cybercriminals know this, and ironically use safety alerts like this to scam users.
The ACCC recently stated that Australians lost $8 million to remote access scams in 2020. The consequences of falling for these scams, however, extend far beyond the financial losses – especially if it involves the installation of malware on victims’ computers as in the case above. Malware like keyloggers may be used to capture confidential information like login or banking details. Acquiring such valuable data can enable scammers to commit further instances of identity theft, widening their victim pool.
As more businesses shift their operations to a remote work model triggered by the COVID-19 pandemic, the likelihood of tech support or remote access scams being successful rises significantly. Criminals behind these scams exploit frustrations of employees who are no longer able to physically turn to their organization’s IT or support teams for help when they want to set up multi-factor authentication (MFA) on their devices or update their software and operating systems. This can be stressful – especially for employees who are working from home for the first time. In this situation, it’s not hard to imagine how an employee might believe someone claiming they can easily improve their Internet speed, or fix a hidden “virus” in their computer?
My team at MailGuard is seeing similar email scams that are also leveraging the tech disruptions triggered by remote working. With many companies introducing new software and tech policies to accommodate the rise in remote work, new and unfamiliar IT updates like the one below are commonly sent by organizations as they try to ensure business continuity. Unfortunately, these can be used to lead users to phishing websites, designed to harvest their confidential details, as is the case with this email:
To avoid being a victim of tech support scams, you can check out several recommended measures from the FTC and the ACCC. These include not sharing financial and personal data online, never allowing remote access to your computer and always keeping security software up to date.
Malicious emails remain one of the most prolific ways fraudsters infiltrate networks, so I also recommend taking a defense in depth approach to your business email security. No one vendor can stop all threats, so don’t leave your business exposed. If you are using Microsoft 365 or G Suite, you should also have third-party solutions in place to mitigate your risk. For example, using a third-party cloud email solution like MailGuard to complement Microsoft 365. For more information about how MailGuard can help defend your inboxes, reach out to my team at email@example.com.
Change brings novelty, and novelty brings opportunity for cybercriminals. And as we continue adapting to changing work environments, you can bet cybercriminals are going to capitalize on every opportunity to attack you and your assets. As we try to mitigate the risks of these attacks, questions will continue to be raised, errors will be made, and oversights will happen – and this happens even to the best of us. However, I hope that by sharing our knowledge and experience, we can collectively reduce the likelihood of cybercriminals successfully exploiting our teams and businesses.
What are some security challenges that your business is facing as we enter 2021? Add your comments below.