top of page

Resources

Spear Phishing Against IT Help Desks is Getting More Sophisticated

Updated: May 10


A hacker working on a laptop.
Social engineering attacks against IT help desks are evolving and becoming more advanced. Learn about the current spear phishing landscape and what mitigations organizations can implement today.

IT help desks are being increasingly targeted by advanced social engineering tactics.[2]


There’s been a recent wave of attacks led by social engineering tactics such as spear phishing and impersonation that have proven more effective than prior attacks.


Notably, in September of 2023, these sophisticated methods of impersonation and spear phishing were used in a cyberattack against MGM Resorts International that costed the company $100 million and resulted in the theft of customers’ private data, including contact information and driver’s license numbers.[1]


All it takes to fall prey to a social engineering attack is one moment of weakness.


Let’s dive into this current wave of attacks to discover what the current spear phishing landscape looks like, what methods these attackers have been using, and what organizations can do to mitigate the risk of these attacks.



The Current Spear Phishing Landscape

Things haven’t been the same since generative AI burst onto the scene.


Emails and texts have become more convincing, and voice cloning technology has also called into question the age-old advice of calling a contact to verify their emails and texts.


Generative AI

Even before large language models like OpenAI’s ChatGPT were widely available, spear phishing was still a threat.


The open and accessible nature of the internet allowed threat actors to collect enough information on potential victims to create convincing texts and emails. And it still does.


But before 2022 and the introduction of ChatGPT, these emails and texts were riddled with typos, grammatical errors, and other syntax-related mistakes that those who weren’t perturbed by the messages’ urgency could easily discern as phishing attempts.


Nowadays, attackers can plug in information about their potential victim into a generative AI program, and it can spit out emails and texts that are not only personalized, but also incredibly more convincing for those with a careful eye.


Messages that contained a sense of urgency and had numerous typos used to ensure that any victims who fell for the initial message would likely fall for the whole thing.


Now, with generative AI, the net that threat actors can cast is far wider.


AI Voice Cloning

Voice synthesizing and text-to-speech services aren’t new for spear phishing and voice phishing campaigns, but the believability that the voice on the other side of the line is a real person has been bumped up with the introduction of voice cloning technology.


The potential pitfalls and dangers of voice cloning are very parallel with those of generative AI. Services like ElevenLabs, Speechify, and Vocloner all offer everyday people the opportunity to clone a voice and have it say whatever they want.


The risks and dangers of these services (as it pertains to targeted phishing attacks) are obvious. You’re way less skeptical of your boss phoning you and asking to transfer funds, as opposed to a text or an email claiming to be from them and asking the same thing.


But in this new day and age where artificial intelligence is trying to innovate and carve out as much space in our society as possible, you should be equally skeptical of these requests, no matter which channel they’re received through.


How the Landscape Has Evolved

There’s no surefire way of verifying these highly sensitive requests anymore, besides being in-person and talking to someone face-to-face.


When it comes to requests like resetting multifactor authentication (MFA), routing payments to a new bank account, and so forth, many organizations have started instituting procedures where these requests must be made, and can only be made, in-person.



Spear Phishing Tactics, Techniques, and Procedures We’ve Seen So Far

While no two attacks are often alike, there’s a common thread of tactics that we’ve seen so far as threat actors target IT help desks.


Before a phone call or an email is received by the help desk, the threat actors have been armed with personal information of an employee that would be needed for the request’s eventual verification. This info was likely gathered across multiple sources, including previous data breaches and professional networking sites.[2]


The information threat actors are equipped with includes the last four digits of the employee’s social security number (SSN) and their corporate ID number.


Now, the attack commences.


Using a phone number local to the area of the organization, threat actors call into the IT help desk and claim to be that employee, who is typically in a financial or administrative role. They say their phone is broken, and they cannot receive MFA tokens that are being generated by their authenticator app.


Through smooth talking and presenting the employee’s valid information, the threat actors are able to get the IT help desk to set up MFA on their new device, thus granting them access to sensitive company resources.


Once in, the threat actors head straight for payer website login information and submit the required forms to make ACH changes for payer accounts.


After getting into the employee’s email accounts, they send out requests to payment processors to divert payments to their own U.S. bank accounts. Eventually, this money makes its way overseas.[2]


Threat actors will also register a new domain similar to that of the targeted organization, the only difference being the variation of a single character. This domain is then used to impersonate that organization’s Chief Financial Officer (CFO).



Mitigations That Organizations Can Take Today

Strong policies (and adherence to those policies) are the most effective mitigators.


As an example, one mitigation an organization may want to consider is requiring a callback to the phone number on record for an employee requesting a password reset or the setup of a new device. In these cases, one of the surefire ways to know the employee has been compromised is if the threat actor impersonating them claims to be too busy to take the call.


Continuous monitoring for ACH changes, especially those that look suspicious, is paramount in addition to revalidating users with access to payer websites.


As mentioned before, some organizations also enforce policies where any IT requests must be made in-person to verify their authenticity.


Policies can also be put in place where, every time one of these IT requests is made, the supervisor of that employee must be contacted to verify the request.


And, of course, user training can be conducted across the organization to teach employees and staff how to identify social engineering techniques and how to report attempted spear phishing.


Strengthen Microsoft Entra ID[2]

If your organization uses Microsoft Entra ID/Azure AD, there’s steps you can take today to mitigate your risk against common spear phishing tactics:

  • Bulk up Microsoft Authenticator with number matching and remove SMS as an MFA verification option.

    • To ensure MFA can only utilize Authenticator’s number matching, ensure your organization’s stage for leveraging authentication methods is at least Migration in Progress before configuring the authentication method.

    • Remove SMS as an MFA verification option by clearing the checkbox for Text message to phone in the multifactor authentication service settings window.

  • Require number matching for push notifications.

  • Create a custom authentication strength that specifies only Password + Microsoft Authenticator (Push Notification).

    • Create a new or edit an existing Conditional Access Policy that grants access only for the newly created authentication strength.

  • Ensure MFA and self-service password reset (SSPR) registration is secure by requiring users to authenticate from a trusted network location.

  • Block external access to administrative features by creating a Conditional Access Policy that only allows users access if they are authenticating from a trusted network location.



Final Thoughts

The recent advancements in AI have given threat actors tools that they’d only dreamed of that make their phone calls, emails, and text messages appear more legitimate than ever.


But with the knowledge of these tools and tactics coupled with diligence, training, and risk mitigation, not all hope is lost for employees and their organizations.


Many of the telltale signs of spearphishing are still present, and calm due diligence will always be the best mitigator.



References

  1. “Casino giant MGM expects $100 million hit from hack th…” CNN. 5 October 2023

  2. “Social Engineering Attacks Targeting IT Help Desks in the He…” HC3. 3 April 2024




Comments


Commenting has been turned off.
bottom of page