In large companies, as a rule the average employee isn’t often asked for an opinion on their career aspirations, areas of interest, or accomplishments outside their job description. It tends to happen once a year — for the performance review. However, many would like to share their thoughts with management much more often. So, when an invitation to take a self-evaluation lands in the inbox, they jump at the chance without hesitation. And this is what cybercriminals exploit in the latest spear-phishing campaign.
Phishing email with invitation
Seemingly from HR, an email arrives containing an elaborate description of the employee self-evaluation procedure, which “promotes candid dialogue between staff members and their managers/supervisors”. It goes on to say that “you can learn a lot about your strengths and shortcomings … to reflect on your successes, areas for development, and career objectives”. All in all, quite a convincing piece of corporate spiel.
Email to employees inviting them to undergo a self-evaluation
Convincing it may be, but all the same the email does contain a few identifiable red flags regarding phishing. For starters, take a look at the domain name in the sender’s address. That’s right, it doesn’t match the name of the company. Of course, it’s possible that your HR department might be using a contractor unknown to you — but why would “Family Eldercare” be providing such services? Even if you don’t know that this is a non-profit organization that helps families care for elderly relatives, the name should ring an alarm bell.
What’s more, the email says that the survey is “COMPULSORY for EVERYONE”, and must be completed “by End Of Day”. Even if we leave aside the crude and faulty capitalization, the focus on urgency is always a reason to stop and think — and check with the real HR department whether they sent it.
Fake self-evaluation form
Those who miss the flags and click through to the form are faced with a set of questions that may actually have something to do with assessing their performance. But the crux of the phishing operation lies in the last three of those questions — which ask the victim to provide their email address, and enter their password for authentication and then re-enter it for confirmation.
Last three questions of the fake questionnaire
This is actually a smart move on the phishers’ part. Typically, phishing of this type leads straight from the email to a form for entering corporate credentials on a third-party site, which puts many on their guard straight away. Here, however, the request for a password and email address (which commonly doubles up as a username) is disguised as part of the form — and at the very end. By this stage the victim’s vigilance is well and truly lulled.
Also note how the word “password” is written: two letters are replaced with asterisks. This is to bypass automatic filters set to search for “password” as a keyword.
How to stay safe
To stop company employees falling for phishing, keep them informed of all the latest tricks (for example, by forwarding our posts about phishing ploys). If you prefer a more systematic approach, carry out regular trainings and checks, for example with our Kaspersky Automated Security Awareness Platform.
Ideally, employees should never even see most phishing thanks to technical means: install security solutions with anti-phishing technology both at the corporate mail gateway level and on all work devices used for internet access.
“Security” and “overtime” go hand in hand. According to a recent survey, one in five CISOs works 65 hours a week, not the 38 or 40 written in their contract. Average overtime clocks in at 16 hours a week. The same is true for the rank-and-file infosec employees — roughly half complain of burnout due to constant stress and overwork. At the same time, staff shortages and budget constraints make it very hard to do the obvious thing: hire more people. But there are other options! We investigated the most time-consuming tasks faced by security teams, and how to speed them up.
The sure winner in the “timewaster” category is alerts generated by corporate IT and infosec systems. Since these systems often number in the dozens, they produce thousands of events that need to be handled. On average, a security expert has to review 23 alerts an hour — even off the clock. 38% of respondents admitted to having to respond to alerts at night.
What to do
Use more solutions from the same vendor. A centralized management console with an integrated alert system reduces the number of alarms and speeds up their processing.
Implement automation. For example, an XDR solution can automate typical analysis/response scenarios and reduce the number of alerts by combining disparate events into a single incident.
Leverage an MSSP, MDR service or commercial SoC. This is the most efficient way to flexibly scale alert handling. Full-time team members will be able to focus on building overall security and investigating complex incidents.
Emails with warnings
Notices from vendors and regulators and alerts from security systems get sent to the infosec team by email — often to a shared inbox. As a result, the same messages get read by several employees, including the CISO, and the time outlays can run to 5–10 hours a week.
What to do
Offload as many alerts as possible to specialized systems. If security products can send alerts to a SIEM or a dashboard, that’s better than email.
Use automation. Some typical emails can be analyzed using simple scripts and transformed into alerts in the dashboard. Emails that are unsuited to this method should be analyzed, scored for urgency and subject matter, and then moved to a specific folder or assigned to a designated employee. You don’t need an AI bot to complete this task; email-processing rules or simple scripts will do the job.
These approaches dramatically reduce the number of emails that require reading and fully manual processing by multiple experts.
Emails flagged by employees
Let’s end the email topic with a look at one last category of attention-seeking messages. If your company has carried out infosec training or is experiencing a major attack, many employees will consider it their duty to forward any suspicious-looking emails to the infosec team. If you have lots of eagle-eyed colleagues on your staff, your inbox will be overflowing.
What to do
Deploy reliable protection at the mail gateway level — this will significantly reduce the number of genuine phishing emails. With specialized defense mechanisms in place, you’ll defeat sophisticated targeted attacks as well. Of course, this will have no impact on the number of vigilant employees.
If your email security solution allows users to “report a suspicious email”, instruct your colleagues to use it so they don’t have to manually process such alerts.
Set up a separate email address for messages with employees’ suspicions so as to avoid mixing this category of emails with other security alerts.
4. If item 2 is not feasible, focus your efforts on automatically searching for known safe emails among those sent to the address for suspicious messages. These make up a large percentage, so the infosec team will only have to check the truly dangerous ones.
Prohibitions, risk assessments, and risk negotiations
As part of the job, the CISO must strike a delicate balance between information security, operational efficiency, regulatory compliance, and resource limitations. To improve security, infosec teams very often ban certain technologies, online services, data storage methods, etc., in the company. While such bans are inevitable and necessary, it’s important to regularly review how they impact the business and how the business adapts to them. You may find, for example, that an overly strict policy on personal data processing has resulted in that process being outsourced, or that a secure file-sharing service was replaced by something more convenient. As a result, infosec wastes precious time and energy clambering over obstacles: first negotiating the “must-nots” with the business, then discovering workarounds, and then fixing inevitable incidents and problems.
Even if such incidents do not occur, the processes for assessing risks and infosec requirements when launching new initiatives are multi-layered, involve too many people, and consume too much time for both the CISO and their team.
What to do
Avoid overly strict prohibitions. The more bans, the more time spent on policing them. 2. Maintain an open dialogue with key customers about how infosec controls impact their processes and performance. Compromise on technologies and procedures to avoid the issues described above. 3. Draw up standard documents and scenarios for recurring business requests (“build a website”, “collect a new type of information from customers”, etc.), giving key departments a simple and predictable way to solve their business problems with full infosec compliance.
Handle these business requests on a case-by-case basis. Teams that show a strong infosec culture can undergo security audits less frequently — only at the most critical phases of a project. This will reduce the time outlays for both the business and the infosec team.
Checklists, reports, and guidance documents
Considerable time is spent on “paper security” — from filling out forms for the audit and compliance departments to reviewing regulatory documents and assessing their applicability in practice. The infosec team may also be asked to provide information to business partners, who are increasingly focused on supply chain risks and demanding robust information security from their counterparties.
What to do
Invest time and effort in creating “reusable” documents, such as a comprehensive security whitepaper, a PCI Report on Compliance, or a SOC2 audit. Having such a document helps not only with regulatory compliance, but also with responding quickly to typical requests from counterparties.
Hire a subspecialist (or train someone from your team). Many infosec practitioners spend a disproportionate amount of time formulating ideas for whitepapers. Better to have them focus on practical tasks and have specially trained people handle the paperwork, checklists, and presentations.
Automate processes — this helps not only to shift routine control operations to machines but to correctly document them. For example, if the regulator requires periodic vulnerability scan reports, a one-off resource investment in an automatic procedure for generating compliant reports would make sense.
Selecting security technologies
New infosec tools appear monthly. Buying as many solutions as possible won’t only balloon the budget and the number of alerts, but also create a need for a separate, labor-intensive process for evaluating and procuring new solutions. Even leaving tenders and paperwork aside, the team will need to conduct market research, evaluate the contenders in depth, and then carry out pilot implementation.
What to do
Try to minimize the number of infosec vendors you use. A single-vendor approach tends to improve performance in the long run. 2. Include system integrators, VARs, or other partners in the evaluation and testing process when purchasing solutions. An experienced partner will help weed out unsuitable solutions at once, reducing the burden on in-house infosec during the pilot implementation.
Although various types of infosec training are mandatory for all employees, their ineffective implementation can overwhelm the infosec team. Typical problems: the entire training is designed and delivered in-house; a simulated phishing attack provokes a wave of panic and calls to infosec; the training isn’t tailored to the employees’ level, potentially leading to an absurd situation where infosec itself undergoes basic training because it’s mandatory for all.
What to do
Use an automated platform for employee training. This will make it easy to customize the content to the industry and the specifics of the department being trained. In terms of complexity, both the training materials and the tests adapt automatically to the employee’s level; and gamification increases the enjoyment factor, raising the successful completion rate.
All large companies have formal processes for both onboarding and offboarding. These include granting access to corporate IT systems after hiring, and revoking said access during offboarding. In practice, the latter is far less effective — with departing employees often retaining access to work information. What are the risks involved, and how to avoid them?
How access gets forgotten
New employees are granted access to the systems they need for their jobs. Over time, these accesses accumulate, but they’re not always issued centrally, and the process itself is by no means always standardized. Direct management might give access to systems without notifying the IT department, while chats in messenger apps or document-exchange systems get created ad hoc within a department. Poorly controlled access of this kind is almost certain not to be revoked from an offboarded employee.
Here are some typical scenarios in which IT staff may overlook access revocation:
The company uses a SaaS system (Ariba, Concur, Salesforce, Slack… there are thousands of them) that’s accessed by entering a username and password entered by the employee at first log in. And it isn’t integrated with the corporate employee directory.
Employees share a common password for a particular system. (The reason may be saving money by using just one subscription or lacking a full multi-user architecture in a system.) When one of them is offboarded, no one bothers to change the password.
A corporate system allows login using a mobile phone number and a code sent by text. Problems arise if an offboarded employee keeps the phone number they used for this purpose.
Access to some systems requires being bound to a personal account. For example, administrators of corporate pages on social media often get access by assigning the corresponding role to a personal account, so this access needs to be revoked in the social network as well.
Last but not least is the problem of shadow IT. Any system that employees started using and run by themselves is bound to fall outside standard inventory, password control and other procedures. Most often, offboarded employees retain the ability to perform collaborative editing in Google Docs, manage tasks in Trello or Basecamp, share files via Dropbox and similar file-hosting services, as well as access work and semi-work chats in messenger apps. That said, pretty much any system could end up in the list.
The danger of unrevoked access
Depending on the role of the employee and the circumstances of their departure, unrevoked access can create the following risks:
The offboarded employee’s accounts can be used by a third party for cyberattacks on the company. A variety of scenarios are possible here — from business email compromise to unauthorized entry to corporate systems and data theft. Since the departed employee no longer uses these accounts, such activity is likely to go unnoticed for a long time. Forgotten accounts may also use weak passwords and lack two-factor authentication, which simplifies their takeover. No surprise, then, that forgotten accounts are becoming very popular targets for cybercriminals.
The offboarded employee might continue to use accounts for personal gain (accessing the customer base to get ahead in a new job; or using corporate subscriptions to third-party paid services).
There could be a leak of confidential information (for example, if business documents are synchronized with a folder on the offboarded employee’s personal computer). Whether the employee deliberately retained this access to steal documents or it was just plain forgetfulness makes little difference. Either way, such a leak creates long-term risks for the company.
If the departure was acrimonious, the offboarded employee may use their access to inflict damage.
Keeping track of SaaS systems and shadow IT is already a handful, but the situation is made worse by the fact that not all company offboarding processes are properly formalized.
An additional risk factor is freelancers. If they were given some kind of access as part of a project, it’s extremely unlikely that IT will promptly revoke it — or even know about it — when the contract expires.
Contracting companies likewise pose a danger. If a contractor fires one employee and hires another, often the old credentials are simply given to the new person, rather than deleted and replaced with new ones. There’s no way that your IT service will know about the change in personnel.
In companies with seasonal employees or just a high turnover in certain positions, there’s often no full-fledged centralized on/offboarding procedure — just to simplify the business operation. Therefore, you can’t assume they’ll perform an onboarding briefing or operate a comprehensive offboarding checklist. Employees in these jobs often use the same password to access internal systems, which can even be written on a Post-It right next to the computer or terminal.
How to take control
The administrative aspect is key. Below are a few measures that significantly mitigate the risk:
Regular access audits. Carry out periodic audits to determine what employees have access to. The audit should identify accesses that are no longer current or were issued unintentionally or outside of standard procedures, and revoke them as necessary. For audits, a technical analysis of the infrastructure is not enough. In addition, surveys of employees and their managers should be carried out in one form or another. This will also help bring shadow IT out of the shadows and in line with company policies.
Close cooperation between HR and IT during offboarding. Departing employees should be given an exit interview. Besides questions important for HR (satisfaction with the job and the company; feedback about colleagues), this should include IT issues (request a complete list of systems that the employee used on a daily basis; ensure that all work information is shared with colleagues and not left on personal devices, etc.). The offboarding process usually involves signing documents imposing responsibility on the departing employee for disclosure or misuse of such information. In addition to the employee, it’s advisable to interview their colleagues and management so that IT and InfoSec are fully briefed on all their accounts and accesses.
Creation of standard roles in the company. This measure combines technical and organizational aspects. For each position and each type of work, you can draw up a template set of accesses to be issued during onboarding and revoked during offboarding. This lets you create a role-based access control (RBAC) system and greatly simplify the work of IT.
Technical measures to facilitate access control and increase the overall level of information security:
Implementing Identity and Access Management systems and Identity Security The keystone here would be a single sign-on (SSO) solution based on a centralized employee directory.
Asset and Inventory Tracking to centrally track corporate devices, work mobile phone numbers, issued licenses, etc.
Monitoring of outdated accounts. Information security tools can be used to introduce monitoring rules to flag accounts in corporate systems if they have been inactive for a long time. Such accounts must be periodically checked and disabled manually.
Compensatory measures for shared passwords that have to be used (these need to be changed more often).
Time-limited access for freelancers, contractors and seasonal employees. For them, it’s always best to issue short-term accesses, and to extend/change them only when necessary.
Usum panas mendakan seueur karyawan perusahaan neuteup lila-lila kaluar jandela, sakapeung ningali kalénder. Anjeun teu kudu jadi psikis pikeun maca kecap “liburan” dina pikiran maranéhanana. Atawa penjahat cyber – anu ngamangpaatkeun sentimen sapertos ngaliwatan phishing. Tujuanana, sapertos biasa, nyaéta pikeun ngabujuk kapercayaan perusahaan. Kami ngajalajah panipuan sapertos kitu sareng ngajelaskeun naon anu anjeun kedah perhatikeun.
Tujuanana nyaéta pikeun ngaklik tautan phishing. Pikeun ngahontal ieu, panyerang kedah mareuman sisi pamikiran kritis otak korban, biasana ku cara nyingsieunan atanapi intrik. Kasempetan, dina awal usum panas, nami jadwal pakansi bakal ngalakukeun trik. Dina waktos ayeuna, seueur karyawan anu parantos ngarencanakeun, mésér tikét, mesen hotél. Upami tanggal liburan ujug-ujug robih, sadaya rencana ieu bakal dibatalkeun. Ku alatan éta, scammers ngirim surelek disangka ti HR on jejer libur: sugan a rescheduling dadakan, kudu mastikeun kaping, atawa clash kalawan sababaraha acara penting. Email sapertos kieu sapertos kieu:
Kusabab dina hal ieu masalahna nyaéta phishing massal, sanés phishing tumbak, éta gampang pisan pikeun mendakan trik panyerang. Hal utama nyaéta nolak pangjurung pikeun klik langsung dina tautan pikeun ningali tanggal pakansi anu dirévisi anjeun. Lamun urang nalungtik email leuwih raket, janten jelas yén:
Pangirimna (firstname.lastname@example.org) sanes karyawan perusahaan anjeun;
“Penandatanganan” “Diréktur SDM” teu gaduh nami sareng tanda tangan henteu cocog sareng gaya perusahaan organisasi anjeun;
Disumputkeun di tukangeun tautan anu nembongan nunjuk kana file PDF mangrupikeun alamat anu béda-béda (anjeun tiasa ningali ku ngalayangkeun tautan).
Éta ogé pas janten jelas yén panyerang ngan ukur terang alamat panampi. Alat surat massal otomatis nyandak nami domain perusahaan sareng nami karyawan tina alamatna sareng otomatis ngagentos ku tautan dummy sareng tandatangan pangirim.
Sanaos korban ngelek umpan sareng ngaklik tautan, éta masih tiasa mendakan tanda-tanda phishing dina situs panyerang. Link dina email di luhur nunjuk ka dieu:
Situs sorangan kirang ti ngayakinkeun:
Pikeun ngamimitian, éta henteu di-host dina server perusahaan anjeun, tapi dina Huawei Cloud (myhuaweicloud.com), dimana saha waé tiasa nyéwa rohangan;
Ngaran koropak teu cocog jeung ngaran PDF dieusian dina email;
Henteu aya atribut tunggal dina situs pikeun nyambungkeunana sareng perusahaan anjeun.
Tangtosna, pas korban ngalebetkeun kecap konci na dina jandela login, éta langsung ka server penjahat cyber.
Kumaha tetep aman
Pikeun ngirangan kamungkinan karyawan perusahaan anjeun mendakan email phishing, anjeun kedah gaduh panyalindungan dina tingkat gateway email. Naon deui, sadaya alat anu nyambung ka internét kedah ditangtayungan ku solusi kaamanan endpoint.
Salaku tambahan, kami nyarankeun ngayakeun pelatihan kasadaran rutin pikeun karyawan ngeunaan ancaman siber panganyarna, atanapi, sahenteuna, nginpokeun aranjeunna ngeunaan panipuan phishing poténsial. Kanggo inpo nu langkung lengkep ihwal trik sareng perangkap phisher, tingali tulisan anu sanés dina blog ieu.