Phishing,
the
theft
of
users’
credentials
or
sensitive
data
using
social
engineering,
has
been
a
significant
threat
since
the
early
days
of
the
internet
–
and
continues
to
plague
organizations
today,
accounting
for
more
than
30%
of
all
known
breaches.
And
with
the
mass
migration
to
remote
working
during
the
pandemic,
hackers
have
ramped
up
their
efforts
to
steal
login
credentials
as
they
take
advantage
of
the
chaos
and
lack
of
in-person
user
verification.
This
has
led
to
the
revival
of
the
old-school
technique
of
vishing,
which,
like
phishing
online,
involves
using
social
engineering
over
the
phone
to
steal
sensitive
information.
Vishing
attacks
have
been
on
the
rise
as
a
result,
with
69%
of
companies
experiencing
them
in
2021,
up
from
54%
in
2020.
These
attacks
often
take
the
form
of
job
or
tech
support
scams
and
can
be
incredibly
convincing.
In
August
2020,
the
FBI
along
with
the
CISA
issued
a
warning
regarding
remote
users
being
targeted
by
attackers
spoofing
organizations’
business
numbers
and
impersonating
the
IT
service
desk.
Vishing
bypassing
2FA
One
of
the
most
concerning
aspects
of
vishing
is
the
attackers’
ability
to
bypass
two-factor
authentication
(2FA)
security
measures.
2FA
is
a
popular
form
of
multi-factor
authentication
that
requires
users
to
provide
two
types
of
information:
a
password
and
a
one-time
code
sent
via
SMS.
Attackers
achieve
this
by
impersonating
a
support
representative
and
requesting
the
victim’s
2FA
code
over
the
phone.
If
the
victim
provides
the
code,
the
attacker
can
gain
full
access
to
their
account,
potentially
leading
to
financial
or
personal
information
being
compromised.
Attackers
impersonating
as
help
desk
support
A
common
instance
is
when
individuals
receive
a
pop-up
alert
claiming
that
their
device
has
been
breached
or
infected
with
malware
and
that
professional
phone
support
is
required
to
fix
the
problem.
Alternatively,
victims
may
receive
a
call
from
an
alleged
tech
support
representative
from
a
reputable
software
provider,
claiming
that
malware
has
been
detected
on
their
machine.
The
attacker
will
try
to
convince
the
user
to
download
remote
access
software
under
the
pretext
of
corporate
IT
help
desk
representatives.
This
is
the
final
phase
of
the
scam,
after
which
it’s
checkmate
for
the
unsuspecting
victims
and
a
potential
payday
for
the
attackers.
Attackers
impersonating
the
help
desk
is
clearly
working:
in
July
2020,
Twitter
experienced
a
major
security
breach
when
hackers
used
a
vishing
scam
to
successfully
access
dozens
of
high-profile
accounts,
including
those
of
Barack
Obama,
Joe
Biden,
Jeff
Bezos,
and
Elon
Musk.
The
attackers
used
these
accounts
to
tweet
a
bitcoin
scam,
resulting
in
the
swift
theft
of
over
$100,000.
Unlike
traditional
scams,
these
attacks
target
carefully
selected
individuals
by
gathering
extensive
information
about
them
from
social
media
and
other
public
sources.
This
information
is
then
used
to
identify
employees
who
are
most
likely
to
cooperate
and
have
access
to
the
desired
resources,
at
which
point
attackers
are
primed
and
ready
to
wreak
havoc.
A
twist
as
attackers
call
the
help
desk
&
impersonate
end-users
Social
engineering
attacks
are
carefully
fabricated
with
collected
data
and
can
be
used
to
impersonate
an
end-user
on
a
call
to
the
help
desk.
An
experienced
attacker
can
easily
acquire
answers
to
security
questions
from
various
sources,
especially
knowing
end-users
put
too
much
personal
information
on
social
media
and
the
web.
Microsoft
said
that
LAPSUS$,
a
known
threat
group,
calls
on
a
targeted
organization’s
help
desk
and
attempts
to
convince
support
personnel
to
reset
a
privileged
account’s
credentials.
The
group
would
use
previously
gathered
information,
have
an
English-speaking
caller
speak
with
the
help
desk.
They
would
be
able
to
answer
common
recovery
prompts
such
as
“first
street
you
lived
on”
or
“mother’s
maiden
name”
from
data
collected
to
convince
help
desk
personnel
of
authenticity.
In
another
attempt
to
reach
the
help
desk,
slack
was
used.
Electronic
Arts
had
780GB
of
source
code
downloaded
by
hackers
presumed
to
also
be
LAPSUS$.
The
threat
actors
used
the
authentication
cookies
to
impersonate
an
already-logged-in
employee’s
account
and
access
EA’s
Slack
channel,
then
convinced
an
IT
support
employee
into
granting
them
access
to
the
company’s
internal
network.
How
can
your
Help
Desk
know
who’s
really
calling
Verifying
user
identity
in
the
vishing
age
is
more
important
than
ever.
With
the
rise
of
cyber-attacks
and
social
engineering,
it’s
crucial
for
organizations
to
have
security
measures
in
place
to
safeguard
their
employees,
protect
their
sensitive
information,
and
prevent
unauthorized
access.
One
effective
way
to
safeguard
against
these
types
of
attacks
is
to
implement
a
secure
service
desk
solution,
which
allows
for
the
verification
of
user
accounts
with
existing
data
beyond
just
knowledge-based
authentication.
This
can
be
achieved
by
sending
a
one-time
code
to
the
mobile
number
associated
with
the
user’s
account
or
using
existing
authentication
services
to
verify
callers.
Enforcing
user
authentication
is
another
key
aspect
of
Specops
Secure
Service
Desk.
This
ensures
that
information
and
password
resets
are
only
offered
to
authorized
users,
which
is
essential
for
protecting
high-security
accounts
and
adhering
to
regulatory
requirements.
With
a
Secure
Service
Desk,
you
can
remove
the
opportunity
for
user
impersonation
by
requiring
verification
with
something
the
user
has
and
not
just
relying
on
something
the
user
–
or
an
attacker
–
may
know.
In
addition
to
verifying
and
enforcing
user
authentication,
a
secure
service
desk
also
allows
for
the
secure
reset
or
unlocking
of
user
accounts.
This
is
done
only
after
the
user
has
been
successfully
verified
and
can
be
combined
with
a
self-service
password
reset
tool
to
assist
with
account
unlocks
and
the
password
reset
process.
With
vishing
scams
showing
no
signs
of
slowing
down,
investing
in
Specops
Secure
Service
Desk
solution
could
be
a
critical
step
for
organizations
looking
to
protect
their
people
from
even
the
subtlest
of
social
engineering
attempts.
By
instilling
a
comprehensive
and
effective
way
to
verify
user
identity,
enforce
user
authentication,
and
reset
or
unlock
user
accounts,
would-be
victims
can
rest
assured
that
they’ll
always
know
who’s
really
calling.
About Author
