Nicolle Neulist is an intelligence analyst within Optiv’s Global Threat Intelligence Center (gTIC). The Global Threat Intelligence Center is comprised of cyber threat intelligence specialists within Optiv’s managed security services that specialize in providing our clients with proactive intelligence support around current and emerging threats.
Threat Advisory – Single Sign-On Phishing
Recently, Optiv’s Global Threat Intelligence Center (gTIC) identified an active phishing campaign against the education sector, in which attackers are stealing credentials and using them to redirect direct deposit paychecks to attacker-controlled accounts. Users are being tricked into entering their single sign-on (SSO) information into a portal that is made to look like the real one, but is controlled by the attacker. The attacker then uses the harvested credentials to get into the human resources (HR) portal and change the direct deposit destination information.
While this current attack is targeting the education sector, the attack is similar to others that have been identified in different industries, targeting Outlook Web Access or other externally reachable corporate resources left unprotected by two-factor authentication. Given the effect of a successful attack – stolen paychecks – as well as the ease of forging a single-factor SSO portal, it remains a high-priority issue in all sectors.
The lures used in this attack are similar in type to other phishing campaigns. The two main themes used by the attackers were “important message from the [target university] staff portal,” or “a payment has been made to your account.” The sender, subject, and body showed slight variations across the campaign, a common tactic that attackers use to make their attack emails more difficult to detect and block.
The “important message” emails try to fool the end user into logging onto the fake SSO portal to read a message. In the “payment” lures, the attacker asks the user to log on to check a payment that has been made to their account, but also directs them to the fake SSO portal. Most of the lures had no attachments, though one variant of the “payment” lure had a PDF attachment purporting to be a payment confirmation. The PDF had an embedded script that launched a web browser to a fake SSO page.
A third version of the lure has used an email claiming to be an overdue library book notification to send people to the fake SSO portal.
The various fake SSO pages tie back to the following domains associated with this campaign:
The URL paths from these domains to the fake SSO pages are typically long, and near the end of them contain references to the target universities in the path in order to fool users into thinking they are legitimate. The fake SSO pages are modeled after the actual ones – a common tactic, as making a believable clone of a website is trivial nowadays.
Once the account credentials were compromised, attackers used them to view their targets’ sensitive information, including W2 forms and social security numbers. They also used the access they had gained to change direct deposit information in an attempt to redirect payments to accounts owned by the attackers.
In addition to accessing the HR portal, attackers also used stolen SSO credentials to access Outlook Web Access. This gives an extra veneer of legitimacy to the attackers’ emails: once they have compromised one user in the target institution, they can begin to use that email address to send phishing emails, which will now be coming from a legitimate corporate email account.
Thus far, this campaign has not been tied to a specific individual. While no specific individual can be identified, we did observe several suspicious, anomalous patterns in the HR portal access logs. IPs were identified as suspicious based on their ownership (anonymizing services), their geolocation (Nigeria, China), and their behavior patterns (one IP accessing many accounts over a relatively short period of time).
Technical measures and user education measures should be taken in order to prevent becoming the target of this phishing attack. Technical measures include two-factor authentication, as well as blocking known indicators of the campaign. User education, though more difficult, also goes a long way to prevent this attack, as well as other phishing attacks in the future. As phishing attacks target users, organizations should equip employees with the ability to identify, resist, and report the attack. This layer of defense matters no matter what the phishing campaign.
In addition, incident response processes should be in place, and employees well trained on them. This campaign makes the need for swift and organized incident response very clear. Since employees’ paychecks are redirected to attackers when this attack succeeds, it is imperative to respond and reverse the changes made by the attackers before the next round of paychecks goes out.
First and foremost, implement two-factor authentication for the SSO portal from which employees access their HR portal and other sensitive internal services. Two-factor authentication means requiring something you have (a token code or a mobile device verification) or something you are (a fingerprint) in addition to a password. Typically, in this use case, the “something you have” factor is used. The identity provider can then pass that trusted identity on to the HR portal and other applications behind the portal. This prevents an attacker, who would not have access to an employee’s second factor, from accessing and editing the employee’s account.
The employees who have been compromised during this campaign have all had one thing in common: their employers did not require two-factor authentication for the SSO portal. Thus, once the attackers stole the user’s login information via the look-alike site, they gained access to the account and could change the direct deposit information for the victim’s paycheck.
In addition to two-factor authentication, administrators of sensitive applications should configure them to notify users when their accounts are viewed or modified. For example, the HR portal should send users an email or text message if their direct deposit information is viewed or changed. That way, users find out quickly if critical details are accessed or edited, and these attacks will be more likely to be caught and thwarted before the next round of paychecks goes out.
User education is an ongoing and periodic process of keeping users aware of threats against them, as well as how they can thwart those threats. Phishing attackers depend on their targets to be fooled into handing over their information. This makes it paramount to equip users with what they need to resist giving information to the attackers, and to ensure that the attacks are reported to the proper authorities.
Relevant to this type of scam, users should be informed that scammers are actively targeting HR portals. Inform users of what a legitimate email from their employer looks like, using both text and screenshots.
Furthermore, explain the hallmarks of this particular campaign. Employees should know that phishing lures often disguise themselves as payment notifications or “important messages” from business or financial portals. Employees should be trained to use known good bookmarks for critical resources such as a corporate SSO portal, instead of clicking on links in an email. As a secondary precaution in case they do click on links in emails, users should be trained to check the entire URL to determine whether a sign-on form is appropriate – not just to go ahead and enter data when they see a familiar domain like targetuniversity.edu in the URL path.
Users should also be advised to check who is sending the email. Lures in this campaign were coming from compromised internal email addresses. Even with email coming from internal addresses, users should ask whether that person is the one who typically sends paycheck information or human resources updates. If the email does not come from the typical source – even if it does come from an internal address – it is likely fake, and could be the result of an attacker using stolen credentials.
Finally, underscore the importance of being wary about this campaign by discussing the consequences. Falling victim to this scam means that the scammers can and will log into the employee’s HR portal account and change the direct deposit information from the employee’s account to one controlled by the attacker. The attacker will steal the employee’s paychecks – and bluntly underscoring the direct financial consequences should increase users’ desire to pay attention and follow anti-phishing measures.
In addition to financial consequences on the next payday, users targeted by this scam may also suffer issues well into the future. A human resources portal contains a treasure trove of information that attackers can use for identity theft: birthdates, social security numbers, addresses, job titles. This is information that an attacker may not use immediately, but can hold onto and use for identity theft months and years in the future.
Incident Response Processes
In addition to technical measures and user education targeted at preventing attacks, ensure that there are processes in place to respond should an attacker ensnare an employee. The time for putting an incident response process into place and ensuring people are trained on it is now – not when there is an attack.
An incident response plan should cover a broad range of compromises. But, specifically relevant to these SSO/HR portal phishing attacks, plans should include information for who employees should contact if they have been compromised, as well as information for how human resources staff can engage information security should they see an uptick in direct deposit changes, or otherwise suspect an attack. It should also cover procedures for information technology and information security staff to work together to identify suspicious access information in the logs of the SSO portal and applications sitting behind it, as well as to reset passwords for accounts that are suspected of being compromised.
Incident response also requires an element of communication. Once an incident has been identified and remediated, internal security staff should communicate to targeted users what happened, including the source of the compromise. In the case of this campaign, there are users who have accused the target universities or the HR portal of being compromised, when the attacker’s way in was actually a combination of the user’s lack of vigilance and the infrastructure’s lack of two-factor authentication.
In addition to internal procedures, the incident response plan should also address when to contact local or federal law enforcement. As internal corporate security teams can focus on the effect that a successful attack has on the employees of that company, law enforcement can focus on locating and taking down the attackers, and may have the ability to correlate reports of similar malicious activity from multiple attackers.
The main ways to prevent this attack include instituting two-factor authentication for sensitive services and SSO portals, as well as user education. However, adding indicators of this campaign to web blocklists and firewalls may help prevent further attacks should these attackers continue to use similar domains.