Cybercriminals are getting smarter. Not by developing new types of malware or exploiting zero-day vulnerabilities, but by simply pretending to be helpful IT support desk workers.
Attackers affiliated with the 3AM ransomware group have combined a variety of different techniques to trick targeted employees into helping them break into networks.
It works like this.
First, a company employee finds their inbox bombarded with unsolicited emails within a short period of time, making it practically impossible to work effectively.
At the same time, the attackers call the employee pretending to come from the organisation’s legitimate IT support department. Spoofed phone numbers help lend credibility to the call.
Then, the employee answers the call. They find themselves speaking to somebody who sounds professional, offering to help fix their email issue.
The spoof IT support desk worker, in reality a malicious hacker, tricks their intended victim into running Microsoft Quick Assist – a tool pre-installed on Windows systems – and granting remote access so the problem can be “fixed.”
Once connected, the attackers are free to deploy their malicious payload on the employee’s PC.
As security firm Sophos explains, a virtual machine is deployed on the compromised computer, in an attempt to evade detection from security software, and the attackers roll out a series of commands to create new user accounts and gain admin privileges.
Sophos says it has seen cybercriminals attempt to exfiltrate hundreds of gigabytes of data in the attacks.
The only reason attacks like these work is because workers are being duped by criminals, who are masters of social engineering, into obeying their commands (in this case, allowing the attacker to connect remotely via Microsoft Quick Assist)
All organisations must make efforts to train staff to better defend against the wide variety of attacks that can be made against them, including social engineering tricks. Many employees may be under the misapprehension that hackers only operate via the internet and that a real-life phone call can be trusted.
The unfortunate truth is that a phone call cannot automatically be trusted.
In addition, IT teams would be wise to look out for unusual activity across their network (such as the exfiltration of large amounts of data), and consider disabling tools like Microsoft Quick Assist unless they are genuinely required.
As social engineering attacks grow more sophisticated, companies must prepare for the fact that the next major breach might not start with a virus or a phishing email, but with a very convincing phone call.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor and do not necessarily reflect those of Fortra.
