“Like watching a car crash”: CrowdStrike reveals how hackers talk their way into corporate systems via helpdesk manipulation
For a casual listener, the phone call between the employee and his IT helpdesk seemed standard. The person on the other end of the line was locked out of his account and wanted to reset his password.
As The Times report, he was a hacker from the Scattered Spider cybercrime group about to wreak havoc on the company’s systems.
The hacker used a playbook later used in the attacks against Marks & Spencer and the Co-op: duping the helpdesk. Those hacks cost the companies hundreds of millions of pounds and disrupted their shops for months.
An edited recording of the call has been played to The Times, revealing how young hackers are able to manipulate their way into companies.
The recording is one of about 200 similar calls analysed by the cybersecurity company CrowdStrike, which gave Scattered Spider its moniker after monitoring the group’s activity.
Scattered Spider is made up of hackers who specialise in “social engineering” to trick their way into companies.
Police have said the group was responsible for the cyberattacks last year on M&S, Co-op and Harrods.
Adam Meyers, the senior vice-president of counter-adversary operations at CrowdStrike, described the 30 to 40-minute call as “epic” and “one of the most egregious calls I’ve listened to”.
The hacker opens the call by saying: “I’m just calling because I’m unable to sign into my account on my machine and, well, it’s not letting me. I don’t know how to reset my password, so I was just calling to get a password reset.”
The call handler then takes him through security. “What division are you working out of?” he asks.
The hacker is impersonating a real employee — an IT director — and would have done his research on their personal details but will also have the web to search for answers.
To buy more time during the call, the hacker pretended his dog had urinated on the floor.
He starts to bluff: “I’m working out … I’m working on a … I’m a director of information technology working out of a … but it’s in every location. That’s kind of what I mean.” He then finds the answer: “I’m in the New York location, yeah.”
On to the next security question: “Who’s your manager?”
The hacker stalls again: “My manager just recently got sent over to a new team. I don’t know which one you’d have on file.” He tries a name. The IT worker says: “I have someone else on here.”
The hacker tries another name. “I think it’s someone a little bit higher, a little bit higher.” At no stage are alarm bells ringing with the help desk, despite two failed attempts.
“One moment, I’m just going through some documents here,” the hacker says, at which point the help desk gives him a clue: “It starts with a C.”
The hacker guesses again, and fails. But still no alarm bells. “I think you’re getting a little bit closer. Are you kind of new?” the IT worker asks.
“I just recently started working here. I’ve shifted through two teams already, but I just, I just don’t know which it would be.” He then guesses correctly. “Sorry about that,” he says. “No worries, man,” replies the IT worker, who then hands over a temporary password.
Just getting the password was not enough for the hacker, however. He also needed to make sure the two-factor authentication code went to his phone number, not the one on file.
So he asks the helpdesk staffer to change it, but they don’t know how. “I can remote into your computer real quick and take a look at it, because there are different ways to go there,” the hacker says, in a final act of bravado. “Okay, all right,” the staffer says.
Adam MeyersMattie Neretin/CNP/AdMedia/Newscom/Alamy Live News
Meyers says of the call: “It’s like watching a car crash. You listen to it and you’re just like, oh no.” He said that the hacker “brought the organisation to its knees”. The company is not being named for confidentiality reasons.
Meyers said that CrowdStrike used AI to analyse the hundreds of Scattered Spider calls and found there were seven unique voices of hackers, which can now be identified.
Rob Shapland, an ethical hacker at Cyonic Cyber, said: “Why on earth would an IT person let someone else remote into their [computer]? I’ve never met a service desk person that would let that happen. It’s just flabbergasting … nuts.”
He said that even the security questions were lax as the answers were open-source information on the web.
The vulnerability of help desks to being tricked by hackers is not new, but the M&S hack was a “wake-up call” that has led many companies to change their procedures, Shapland says.
But the ethical hacker, who is hired by companies to test their security, says he has still been able to trick his way through three different helpdesks since the M&S attack.
He adds: “I pretended that I’m about to go to an urgent meeting. I was pretending to be someone in authority. On one of them, I cloned the voice of one of the people I was pretending to be. So it was a director of the company, and I grabbed a YouTube video of them and used [software] to clone their voice and then pretended to be them.”
Many helpdesk operators are sub-contractors from an outside company, often based in another country, that has been hired for cost reasons. When you call there is “a clock ticking” and they get anxious to “close the ticket”, Meyers said.
“There’s lots of different ways to manipulate people if you’re skilled at this, and this has been a problem going back for ever,” he added. “If it doesn’t work the first time, you just call back and you get somebody else.”
Explore more:
Comments:
comments powered by Disqus
