Account takeovers: Insiders need not be malicious to cause chaos

With 2020 coming to a close, SC Media is delivering through a series of articles our picks of the most high impact events and trends of the last year, which we predict will factor into community strategies in 2021 and beyond. This is the first in that series.

There’s a term that’s used to describe a naïve person who is unknowingly manipulated into furthering another party’s nefarious agenda: a “useful idiot.” It often refers to the unwitting targets of Russian or Soviet intelligence, but it could just as easily apply to an employee who is socially engineered into granting hackers unauthorized access to systems and information.

In the cyber world, just about anyone can be turned into a useful idiot. Indeed, prominent account takeover (ATO) incidents at Twitter and GoDaddy this past year reminded us that insiders within your organization don’t have to be malicious to be a threat. Rather, they can be innocent pawns, fooled by phishing and vishing scammers whose clever ruses are difficult to detect.

Despite having no ill intent, these employees can set off a cascade of online account compromises, resulting in potential scams, defacements and disinformation affecting large numbers of users. The damage can be significant, which is why experts say organizations must go beyond simple credentials and basic identity verification checks, and graduate to concepts such as defense in depth in order to ensure that account holders are properly protected.

Last July, a group of conspirators – who have since been identified and charged – called multiple Twitter employees and falsely represented themselves as the company’s IT department. Under the false pretense of fixing a VPN issue, they persuaded the employees to enter their credentials into a website that looked identical to the real VPN login site. With these credentials, the hackers were able to hijack the verified Twitter accounts of prominent individuals and companies – including Joe Biden, Barack Obama, Elon Musk, Bill Gates, Jeff Bezos, Apple, Uber and others – and post a message promoting a cryptocurrency scam.

Similar vishing (voice-based phishing) tactics were at play in the GoDaddy ATO attack just a few months later in November. Scammers reportedly called up the internet domain registrar’s support team posing as representatives of legitimate cryptocurrency platforms, and then tricked employees into changing account information so that email and web traffic intended for these platforms would instead be directed to attacker-controlled domains.

A third notable incident took place last August and involved the social media player Reddit. In this case, the scammers didn’t even have to resort to vishing; instead, they were able to compromise weak credentials belonging to certain Reddit employees’ accounts and then overtook them in order to deface various subreddits with pro-Trump messaging. The credentials proved vulnerable because employees failed to protect them with two-factor authentication.

The bottom line: “You can’t automate the human out of customer service,” said Allison Nixon, chief research officer at Unit 221b. “[Customer service] reps have a lot of pressures that disempower them from making the right call in the name of security. The attackers know the internal lingo and how the business works, and they will threaten reps too, exploiting their lack of job security and low pay.”

Impersonating a customer or IT department is just one method of social engineering: “Bribery is also a big problem,” Nixon added. And “as opportunities for bribery and trickery dry up, we will see more use of coercion and even force against employees. This sounds like exaggeration, but all of these things have already happened.”

Nixon said there is “no quick fix” for stopping attackers from turning employees into unwitting agents who act on their behalf. “This is a structural problem requiring investment in things that companies only want to cut costs on.”

Still, there are ways companies can reduce, namely through a robust data security strategy, as opposed to relying “solely on the defenses at the endpoint or perimeter,” said Terry Ray, senior vice president and fellow at Imperva.

“Databases, cloud environments, APIs and applications are among the most vulnerable endpoints, and yet organizations accelerate transformation projects in these categories without considering the potential security risk,” Ray continued. “Many organizations worry that taking time to secure data might slow down their innovation projects. That mindset is indefensible: to truly protect the organization’s sensitive data, you have to start with securing the data itself.”

Taking a defense-in-depth approach is one way to secure data and the systems on which it resides.

“The most effective programs will have a multi-layered approach to fraud risk mitigation,” said Bryan Jardin, director of product management at Appgate. “Staying proactive, uncovering potential vulnerabilities within your processes, and looking for ‘chatter’ are very important steps in understanding if you are going to be a target soon or in the near future.”

Indeed, Corey Nachreiner, chief technology officer at WatchGuard Technologies, said a multi-layered security can potentially prevent the type of ATO attacks suffered by GoDaddy and Twitter. “Something as simple as identifying the origin of the authentication event could have flagged it [the malicious takeover attempts] as suspicious, he said, “while strong multi-factor authentication on employee accounts, paired with phishing training would have stopped the compromise dead in its tracks.”

One of the key takeaways to come out of phishing and vishing training should be a heightened sense of vigilance, Nachreiner continued.

“One of the best pieces of guidance for all forms of phishing, regardless of the communication channel, is to treat everything with suspicion,” he said. “This doesn’t mean you have to hyper-analyze every single message or phone call, but if the other party is asking you to do something with a high degree of risk like change a password or verify personal information, you should absolutely assume it is fake until proven otherwise.”

This may mean instructing employees and customer service reps to verify a caller by using a second form of communication to confirm identify. “If you receive a suspicious request over email, pick up the phone and call the individual,” said Nachreiner. “If the request comes via phone “call, contact the official number listed on the organization’s website for verification. These minor inconveniences and the extra time involved will be the difference between a suffering a breach or preventing one.”

Ray added some pointers of his own: For starters, don’t answer calls from phone numbers that look strange or have unfamiliar zip codes. Let the caller leave a message instead.

Also, “no legitimate service will ask for login information over the phone. Never respond to these requests. Instead, contact the service through a trusted customer support line to verify the request is real,” said Ray. Likewise, unsolicited phone calls asking you to change your credentials or account settings should be ignored, he added.

Jardin said that when contacted by a purported customer, customer reps should “focus on the potential abuse of the interaction, what is being asked of you as the representative, and the potential impact to the user’s account. Multiple layers of identity verification are necessary.”

“The same is true with email correspondence. Your ability to mitigate and identify potential fraud within the environment should dictate what can and cannot be performed via the phone, email, or web. If you have strong web controls, redirect the customer to do it themselves online. If you have poor email controls, do not allow email correspondence to ask for account changes, etc.” In other words: “Direct them to where you do have controls to avoid the potential of bypassing them.”

Of course, strong defenses won’t stop every attack, so it’s also important to be prepared to respond nimbly to a successful account takeover.

“I recommend focusing on your response strategy,” said Jardin.  It’s important to have a fraud playbook that is agile and not bogged down in bureaucracy. Organizations must be empowered to respond rapidly and deploy countermeasures. The focus shifts to detection and response rather than obsessing about prevention.”

Still, training employees to follow the above practices and conduct themselves with the upmost of caution won’t necessarily be effective unless they are truly motivated to be part of the solution, Nachreiner added. “This is why it’s important to go beyond user education and training to convince them to really buy in and commit to security. Every organization should focus on re-molding users from weak links into a wrought iron fence for cybersecurity,” he said.

That same buy-in must extend to corporate management as well. That’s why Nixon believes that a more “sustainable solution” for ensuring against account takeovers and breaches is to “focus on outcomes and incentives” when devising a security plan.

One way to do that: update laws and policies that demand some form of restitution if an account is hacked. “Reimburse the victims,” Nixon explained. “Like how banks are incentivized to maintain a level of security, because they have to reimburse victims of hacking, so it keeps bank fraud from spiraling out of control.”

“In the absence of updated laws, the most likely source of incentive is if these victims start winning their civil lawsuits,” Nixon continued. “Outside of that, I don’t think companies have a financial reason to change and we can look forward to all of this getting much worse.”

The post Account takeovers: Insiders need not be malicious to cause chaos appeared first on SC Media.

This entry was posted in Featured, Network Security, Security awareness, Security News, Training, Year in Review. Bookmark the permalink.