Microsoft Warns of Phone-Based Social Engineering Attacks

Using social engineering rather than traditional ransomware tactics, the Lapsus$ group has already hit multiple organizations, says Microsoft.

A relatively new cybercriminal group has quickly gained an infamous reputation for its unique tactics and successful attacks against several major organizations. Known as Lapsus$, the gang uses social engineering to target its victims and has reportedly hit such companies as Samsung, Okta, NVIDIA and Microsoft. In a blog post published Tuesday, Microsoft provides insight into the group’s tactics and techniques and offers tips on how to protect your organization from these attacks.

Lapsus$, also dubbed DEV-0537 by Microsoft, uses an extortion and destruction model of attack without relying on the typical ransomware payloads. To take advantage of potential victims, the group employs several types of social engineering schemes.

Tactics of Lapsus$

As one tactic, Lapsus$ uses phone-based social engineering via SIM-swapping to compromise a victim’s phone. With SIM-swapping, a criminal convinces or even pays off an employee at a mobile carrier to change the victim’s phone number to a SIM card owned by the attacker. Any multi-factor authentication requests are then directed to the criminal’s phone via a call or text, allowing them to take over the victim’s account.

As another tactic, Lapsus$ will compromise someone’s personal or private accounts as a way to gain access to their work-related accounts. An employee will often use their personal accounts or phone number as a method for password recovery or for MFA, opening the door for a criminal to reset a password or take over an account.

In some cases, members of the gang will call an organization’s help desk and try to persuade the support representative to reset the credentials for a privileged account. To appear more convincing, the group uses any information previously gathered about the account and has an English-speaking person talk to the help desk rep.

In yet another tactic, Lapsus$ seeks out employees and business partners willing to provide access to account credentials and MFA details for payment. Microsoft’s blog includes an example of a Lapsus$ advertisement looking for employees at call centers, mobile carriers and large corporations willing to share VPN or Citrix access to a network for money…

The attacks used fake order receipts and phone numbers in an attempt to steal credit card details from unsuspecting victims, says Armorblox.

A standard phishing campaign uses email to try to trick people into divulging confidential information. But attackers are increasingly employing a variant of that ploy known as vishing, short for voice phishing. In a vishing attack, the scammer still impersonates someone from a trusted company but uses a phone call as the weapon of choice.

In some cases, the attacker calls or leaves a voicemail message for the intended victim. In other cases, the criminal sends an email with a contact phone number urging the recipient to call that number. Whatever method is used, the attacker relies on savvy social engineering tactics to convince the person to provide financial or account information during the phone call.

In a report published Thursday, cybersecurity firm Armorblox looked at two recent vishing campaigns that spoofed Amazon as a way to capture credit card details.

First campaign

You need an AI-powered planning solution that augments human intelligence, so that your employees can spend less time manually aggregating data, and more time on analysis and higher-value work. And with predictive capabilities, put the power of algorit…Tools & Templates provided by IBM

In the first campaign, an email sent from a Gmail account used the subject line of “Invoice:ID” followed by a long and seemingly legitimate invoice number. The message spoofed the look and layout of an actual Amazon email and referenced an LG OLED TV and XBOX console allegedly bought by the recipient.

The real threat in the email was a “Contact Us” phone number in the body of the message. When researchers from Armorblox called this number, a real person answered the call, pretending to be from Amazon. That person asked for an order number, name and credit card details before becoming wise and hanging up.

Second campaign

In the second campaign, an email was sent using an address of no-reply@amzeinfo.com, which at first glance looks like an actual Amazon address. Titled “A shipment with goods is being delivered,” the message carried a random order number to seem more legitimate.

As with the first email, this one included a phone number, asking people to call if they wanted to return the items in question. In this case, Armorblox researchers who called the number initially ran into an endless ringtone and eventually no answer, indicating that the number had been taken down. However, the attackers could easily set up another number to restart the campaign

Both emails received a Spam Confidence Level (SCL) of ‘1’ from Microsoft’s Exchange Online Protection (EOP), which meant the messages were not considered spam and were sent to the inboxes of the intended recipients.

How to protect yourself

To help your organization fend off vishing attacks and other threats, Armorblox serves up four pieces of advice.

• Supplement your native email security with additional protection. Both emails cited in the report got through after Microsoft’s EOP determined that they were not spam. To avoid that type of situation, add more layers to augment your native security, especially ones that use a different approach to detect threats. Armorblox recommends Gartner’s Market Guide for Email Security as a helpful starting point to evaluate different products.
• Look out for social engineering cues. Rather than accept an email at face value, scrutinize it in a more methodical way. Inspect the email’s sender name, sender email address and language. Look for any clear inconsistencies within the message that trigger such questions as “Why is Amazon sending an email to my work account” or “Why are the call-to-action buttons in the email not working?
• Avoid sharing sensitive information over the phone. Beware of anyone who asks for personal or sensitive details via a phone call. If you think the call may be a vishing attempt, simply hang up. If you feel you need to call back, don’t contact the person through any phone number listed in the message. Instead, run a search for a publicly available number for the company.
• Follow best practices for multifactor authentication (MFA) and password management. Vishing attacks often try to snag your account credentials as well as your financial information. Protect the user accounts in your organization through the following methods: 1) Implement MFA on all accounts and for all sites. 2) Don’t use the same password across multiple accounts. 3) Use a password manager to store your passwords. 4) Avoid using passwords that reference publicly available details such as your date of birth or anniversary date. 5) Don’t use generic passwords such as “password,” “123456” or “qwerty.”

January 10, 2017

Telephony DoS (TDoS) will become more sophisticated. These attacks, which cut off communications in a crisis, “could impede first responders’ situational awareness, exacerbate suffering and pain, and potentially increase loss of life,” the press release stated…