We’ve written extensively over the past few years about social engineering attacks and phishing. These are related practices, used by bad actors, to trick users into giving access to their business workstations and grant entry into networks. A recent story about the group Black Basta revealed some of the innovative methods for gaining (and abusing) users’ trust. Today, we’ll do a review of this hybrid style of attack and show you some things to look for to help prevent being duped into giving the attackers a foothold on your network.
Social Engineering Attacks and Phishing…
…are related cyber-attacks, in the sense that they have the same common purpose: gain access to someone’s system. Phishing generally refers to sending fraudulent emails to someone in hopes that they’ll hand over authentication information. Most obviously, your login credentials-username and password-are sought here by the attacker.
Since MFA is the standard level of protection for most important logins these days, these attacks often include a way of getting an MFA token to go along with your credentials, which will get an attacker into your account, but has to be done pretty immediately for the token to be valid. Even if you have good password management for your business, any link could be hiding a lookalike site designed to steal your password and allow an attacker to compromise your account.
Social engineering attacks are classified as a different kind of attack because they require gaining trust from the person in the attacker’s crosshairs. Instead of simply tricking someone into handing over the credentials, a social engineering attack is one where the fraudulent action is done by talking to or extending help to someone with the intent of gaining access to their system. This means that protection against social engineering attacks for businesses has to be handled differently. Instead of trying to block attackers’ websites, for example, social engineering protection most often needs to take the form of user education.
Who Can You Trust?
Tech support scams are one variety of social engineering attack that often begins with an ad for a legitimate support team with a software vendor. By clicking on the ad, you’re taken to a branded website and directed to call someone to get support with your software problem. The call center, however, is run by cyber criminals, and the “help” that they’re so readily giving is actually a set of instructions on how to give them access to your business’ network.
The new, Teams-based version of this attack is basically the same thing but initiated through a one-on-one chat with someone claiming to be a part of your help desk or support team. A new chat pops up with an external user who says that you need to install an antivirus scanning utility or similar, and then delivers an executable file that installs malware on your device.
These attacks are popular and effective because they don’t require a lot of testing or trial and error trying to break into the network. Instead, these are tricks that are used to get into secure business networks by trickery. It’s not like “breaking in,” but like asking someone to let you in under false pretenses. It can be devastating if detailed network monitoring is not happening on your network, because a well-hidden attacker could stay around for a long time, also known as an advanced persistent threat (APT), often thought to be the most severe kind of security breach.
So how might someone be able to spot that the attacker isn’t really a part of your IT team? In this way, these attacks have quite a bit in common with spam and phishing emails.
What’s in a Name?
The security researchers who made the info on Black Basta public noted that the Entra ID tenant names that the attackers used often included words like “security,” “admin,” and “support” in them:
securityadminhelper.onmicrosoft[.]com
supportserviceadmin.onmicrosoft[.]com
supportadministrator.onmicrosoft[.]com
cybersecurityadmin.onmicrosoft[.]com
This could make it seem like it’s someone from your IT team’s support desk, but in the world of cloud authentication systems, these actually look quite suspicious because they’re very generic. The subdomain names here-such as securityadminhelper-would be where someone expects the name of a company’s Entra ID tenant, not a department or management role in them. In other words, as a client of Crown Computers, you would expect these messages to come from someone with Crown Computers’ business name, not from a generic name like this.
This is similar to email domains used for phishing. When you see an email that comes from “Bob Smith” in your accounting department, you don’t expect him to be emailing you from @gmail.com. If you see an address that isn’t Bob’s, you can tell fairly straight away that someone may have changed their sender name to Bob’s name to try to trick you. While Bob may use a platform that does sometimes email you with his name-like sharing a file through a service-the email would be suspicious if it came from Bob’s name and a random email address.
Without getting to far into the technical aspects of email phishing security, there are still ways that something can be an impressive spoof and beat your email filtering system. When this happens, though, looking at where the email comes from (the IP address, or location on the internet that it came from) generally can show a security analyst that it is definitely a fraudulent email.
Staying Ahead of This Attack
When there’s new personnel at your MSP, you should be formally introduced to any new team members through official communications. This helps ensure that users are aware of the specific technicians who are going to be servicing them and helps eliminate any questions about suspicious requests for access to a network or workstation.
These Teams attacks should stand out because of it being a new chat from someone with a generic name and address. If someone you don’t recognize starts messaging you about security updates, it should look pretty suspicious. Any time you think there’s cause for concern, reach out to your IT services provider and see if they can confirm that they really did try to contact you through Teams before following any instructions given in the message. Don’t be shy about your doubts! Asking for confirmation is a good practice that shows an interest in keeping your business’ data safe.
-Written by Derek Jeppsen on Behalf of Sean Goss and Crown Computers Team