Thieves have their eyes on your payroll. But instead of using a mask and a gun, they are sitting behind a keyboard and a phone.
Okta Threat Intelligence recently issued a threat advisory highlighting another method threat actors are using to gain unauthorized access to payroll applications.
In a cluster of threat activity tracked by Okta as O-UNC-034, cyber thieves employed social engineering, calling help desk personnel on the phone and attempting to trick them into resetting the password for a user account. These attacks have impacted multiple industries, including education, manufacturing, and retail, and follow similar attacks on payroll systems earlier this year that leveraged malvertising and credential phishing for initial access.
“It’s interesting to see payroll fraud actors joining the swelling number of threat actor groups targeting help desk professionals for access to user accounts,” says Brett Winterford, Vice President of Threat Intelligence at Okta. “This situation underscores the importance of giving IT support personnel the tools they need to verify the identities of inbound callers, and to give them account recovery options that limit the ability of a rogue caller to take over an account.”
Small-scale attacks fly under the radar
Why target individual paychecks rather than, say, deploying ransomware or engaging in data extortion for significantly higher potential financial gains?
“At first glance, a multi-stage campaign like this seems like a lot of effort for one-off siphoning of a paycheck,” says Winterford. “It’s only at scale that the economics work. It also wouldn’t be hard with a little reconnaissance to optimize the attack for higher income earners, or for folks about to be paid an exit package.”
Another theory is that targeting individuals helps attackers stay under the radar, avoiding unwanted attention from law enforcement agencies.
O-UNC-034 is just one example of threat activity targeting HR and payroll applications. Earlier this year, Okta Threat Intelligence tracked a malvertising campaign (O-TA-54) using the same theme.
These “payroll pirate”-style attacks primarily leveraged malvertising campaigns (malicious or compromised search advertising) to distribute malicious advertisements that impersonated legitimate company and government service websites, often appearing as “sponsored” results at the top of search results. If an unsuspecting employee searching for an HR portal were to click on these ads, they would be directed to phishing sites, which use fake login pages designed to deceive victims into entering their credentials and other sensitive financial information. This data is then intercepted by the threat actor, allowing them to take over the victim’s account.
The difference here with O-UNC-034 is the targeting of help desk workers over the phone, a tactic also employed by threat groups such as UNC3944 (“Scattered Spider,” “Muddled Libra”).
In the O-UNC-034 attacks, the scheme begins with a phone call to the help desk requesting a password reset on behalf of a known user. If the request is granted, the attackers will attempt to enroll their own MFA authenticator for the compromised account. If successful, the threat actor attempts to access payroll applications such as Workday, Dayforce HCM, and ADP software, and uses this access to manipulate the banking details for the compromised account.
How security leaders should prepare
In light of these types of attacks, it’s vital for business leadership to establish a standardized process for verifying the identity of remote users who contact support personnel, says Winterford. Okta also recommends that organizations enroll users in strong authenticators, such as Okta FastPass, FIDO2 WebAuthn, and smart cards, and enforce phishing resistance in their policies.
“We recommend not giving your first line of service desk professionals the permissions to modify authentication factors for users,” he says. “Instead, they should have the ability to issue temporary access codes—and only after the person has successfully verified their identity.”
“We recommend administrators restrict access to sensitive applications to devices that are monitored and protected by endpoint management tools,” he continues. “For access requests coming from rarely-used networks, they should consider demanding a higher level of identity assurance or denying the request outright.”
Customers can use Okta Network Zones to control access by location, Autonomous System Number, IP, and IP type, he continues, adding that Okta Behavior and Risk evaluations identify access requests that deviate from previously established patterns of user activity.
“Social engineering is only going to get more advanced as attackers use deepfake technology and AI to impersonate victims,” Winterford says. “Education on the types of lures that are out there is going to be a critical part of any organization’s defense. Security awareness training needs to keep pace with the threats, and employees should be empowered to report suspicious activity as easily as possible.”
Okta customers can read more about the attacks in a detailed threat advisory about O-UNC-034. For more information about protecting your environment from phishing attacks and social engineering, read up on how to build a human firewall against sophisticated attacks.
