Wed, Jun 23, 2021
Phishing schemes are always evolving. This past year, email thread hijacking took phishing to new depths of subterfuge as criminals hid in plain sight within existing conversations. But no matter how well cybercriminals have refined their messaging or counterfeited legitimate logos and branding, the one constant has always been their delivery method: email.
Until now. Online chat services have become a new target for cybercriminals to introduce documents loaded with malware into organizations. In Kroll’s investigative experience, the scheme plays out like this:
1. Circumventing Automated Support Systems
Actors know the limitations of online chat services, which commonly draw on a knowledge base of FAQs to answer visitor queries. The actor presents an issue not likely to be covered by the FAQs, and most importantly, one that needs to be resolved by uploading some kind of documentation, e.g., a disputed invoice or photo of damaged merchandise.
Figure 1 - Example of file upload functionality in support ticket creation
2. Create Ticket with Corrupt File Attachment
A ticket is created in the chat system, complete with a zip file attachment. (Actors usually send zip files because antivirus software does not usually detect the malware contained in compressed files).
3. Support Agent Unsuspectingly Extracts Files
The ticket is routed to an unsuspecting user inside the organization, who opens the attachment and unleashes the malware within. In Kroll’s recent experience with this fact pattern, the malware often provides remote access for actors to ultimately leverage the user’s computer as their beachhead to further their intrusion into the victim network with an eye either on data theft (data exfiltration) or a ransomware attack, sometimes within mere hours.
Even before the pandemic, organizations were increasingly using live chat to support employees and customers with a variety of tasks. Whether your organization already uses an online chat service or you are considering adding one, here are a few tips that can help protect your environment from chat-related threats:
Delivering superior service to prospective and existing clients, as well as employees, is an important goal for organizations of all kinds. Online live chat has emerged as one strategy for delivering a quick response for the most asked questions while helping staff focus on more complex issues. But as they always do, cybercriminals have discovered the weaknesses that make this channel ripe for phishing. Organizations should be aware of the threat posed by online chat phishing and act now to close that window as soon as possible.
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Kroll's expertise establishes whether data was compromised and to what extent. We uncover actionable information, leaving you better prepared to manage a future incident.
Our expertise allows us to identify and analyze the scope and intent of advanced persistent threats to launch a targeted and effective response.
Digital forensic experts investigate hundreds of Office 365 incidents per year and help strengthen your security.
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.
Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.