BLOG HUB
>
Assessments
5 MIN READ

Increased Social Engineering attacks targeting the IT Helpdesk

Increased Social Engineering attacks targeting the IT Helpdesk

As per the latest sector alert published by The U.S. Health and Human Services, in coordination with its Health Sector Cybersecurity Coordination Center, advises on having user awareness training, as well as policies and procedures for increased security for identity verification with help desk requests. The threat actors continue to evolve their tactics, techniques, and procedures (TTPs) to achieve their goal which is to gain initial access to target organizations.

Tactics, Techniques, and Procedures used by threat actors

As per the HC3 April 3rd alert social engineering is being used across the Healthcare and Public Health (HPH) sector to gain unauthorized access to systems. Threat actors are employing sophisticated social engineering techniques to target an organization’s IT help desk with phone calls from an area code local to the target organization, claiming to be an employee in a financial role (specifically in revenue cycle or administrator roles).

The threat actor can provide the required sensitive information for identity verification, including the last four digits of the target employee’s social security number (SSN) and corporate ID number, along with other demographic details. These details were likely obtained from professional networking sites and other publicly available information sources, such as previous data breaches.

The threat actor claimed that their phone was broken, and therefore could not log in or receive MFA tokens. The threat actor then successfully convinced the IT help desk to enroll a new device in multi-factor authentication (MFA) to gain access to corporate resources.

After gaining access, the threat actor specifically targeted login information related to payer websites, where they then submitted a form to make ACH changes for payer accounts. Once access has been gained to employee email accounts, they sent instructions to payment processors to divert legitimate payments to attacker-controlled U.S. bank accounts.

The funds were then transferred to overseas accounts. During the malicious campaign, the threat actor also registered a domain with a single-letter variation of the target organization and created an account impersonating the target organization’s Chief Financial Officer (CFO).

Rise in Spearphishing voice

What is Spearphishing?

Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary.

Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (impersonation) and/or creating a sense of urgency or alarm for the recipient.

Scattered Spider is a cybercriminal group that has been active since at least 2022 targeting customer relationship management and business-process outsourcing (BPO) firms as well as telecommunications and technology companies. During campaigns, Scattered Spider has leveraged targeted social-engineering techniques and attempted to bypass popular endpoint security tools

They have used several techniques to exploit such as Account Discovery: Cloud Account, Account Discovery: Email Account, Account Manipulation: Additional Cloud Roles, Account Manipulation: Device Registration, Account Manipulation: Additional Cloud Credentials, Data from Cloud Storage, Data from Information Repositories: Sharepoint, Exploit Public-Facing Application, External Remote Services, Gather Victim Identity Information: Credentials, Impersonation, Ingress Tool Transfer, Modify Cloud Compute Infrastructure: Create Cloud Instance, Multi-Factor Authentication Request Generation, Network Service Discovery, Obtain Capabilities: Tool, OS Credential Dumping: DCSync, Permission Groups Discovery: Cloud Groups, Phishing: Spearphishing Voice, Phishing for Information: Spearphishing Voice, Phishing for Information: Spearphishing Service, Protocol Tunneling, Proxy, Remote Access Software, Remote Services: Cloud Services, Valid Accounts: Cloud Accounts, Web Service, Windows Management Instrumentation

How can organizations protect against Spearphishing Voice?

Healthcare organizations and service providers need to implement various detection methods,  policies, and procedures to validate the users requesting a password reset or mobile device enrollment.

Helpdesk agents need to employ atmost judgement as the adversary will employ manipulation techniques to bypass the call-back authentication or verification process in place.

Monitor call logs from corporate devices to identify patterns of potential voice phishing, such as calls to/from known malicious phone numbers. Correlate these records with system events.

  • Enable  logging of events, messaging, and other artifacts provided by third-party services ( ex: metrics, errors, and/or alerts )
  • Monitor the events and alerts 24X7X365 using Security Operation Center (SOC)
  • Ensure to use of security systems that can tag events from NDR, EDR, SIEM to MITRE ATT&CK framework and are able to predict the later movement quickly

Users can be trained to identify and report social engineering techniques and spearphishing attempts, while also being suspicious of and verifying the identity of callers.

  • Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.
  • Periodic security awareness training and tabletop exercises can help users understand the impact and mitigation procedures.
  • Reviewing process and having escalation procedures for confirming incoming requests through an independent platform like a phone call or in-person, to reduce risk.
Navin Balakrishnaraja
CEO
Fortuna Cysec
Published on  
January 8, 2024
Table of Contents
This is some text inside of a div block.

Increased Social Engineering attacks targeting the IT Helpdesk

As per the latest sector alert published by The U.S. Health and Human Services, in coordination with its Health Sector Cybersecurity Coordination Center, advises on having user awareness training, as well as policies and procedures for increased security for identity verification with help desk requests. The threat actors continue to evolve their tactics, techniques, and procedures (TTPs) to achieve their goal which is to gain initial access to target organizations.

Tactics, Techniques, and Procedures used by threat actors

As per the HC3 April 3rd alert social engineering is being used across the Healthcare and Public Health (HPH) sector to gain unauthorized access to systems. Threat actors are employing sophisticated social engineering techniques to target an organization’s IT help desk with phone calls from an area code local to the target organization, claiming to be an employee in a financial role (specifically in revenue cycle or administrator roles).

The threat actor can provide the required sensitive information for identity verification, including the last four digits of the target employee’s social security number (SSN) and corporate ID number, along with other demographic details. These details were likely obtained from professional networking sites and other publicly available information sources, such as previous data breaches.

The threat actor claimed that their phone was broken, and therefore could not log in or receive MFA tokens. The threat actor then successfully convinced the IT help desk to enroll a new device in multi-factor authentication (MFA) to gain access to corporate resources.

After gaining access, the threat actor specifically targeted login information related to payer websites, where they then submitted a form to make ACH changes for payer accounts. Once access has been gained to employee email accounts, they sent instructions to payment processors to divert legitimate payments to attacker-controlled U.S. bank accounts.

The funds were then transferred to overseas accounts. During the malicious campaign, the threat actor also registered a domain with a single-letter variation of the target organization and created an account impersonating the target organization’s Chief Financial Officer (CFO).

Rise in Spearphishing voice

What is Spearphishing?

Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary.

Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (impersonation) and/or creating a sense of urgency or alarm for the recipient.

Scattered Spider is a cybercriminal group that has been active since at least 2022 targeting customer relationship management and business-process outsourcing (BPO) firms as well as telecommunications and technology companies. During campaigns, Scattered Spider has leveraged targeted social-engineering techniques and attempted to bypass popular endpoint security tools

They have used several techniques to exploit such as Account Discovery: Cloud Account, Account Discovery: Email Account, Account Manipulation: Additional Cloud Roles, Account Manipulation: Device Registration, Account Manipulation: Additional Cloud Credentials, Data from Cloud Storage, Data from Information Repositories: Sharepoint, Exploit Public-Facing Application, External Remote Services, Gather Victim Identity Information: Credentials, Impersonation, Ingress Tool Transfer, Modify Cloud Compute Infrastructure: Create Cloud Instance, Multi-Factor Authentication Request Generation, Network Service Discovery, Obtain Capabilities: Tool, OS Credential Dumping: DCSync, Permission Groups Discovery: Cloud Groups, Phishing: Spearphishing Voice, Phishing for Information: Spearphishing Voice, Phishing for Information: Spearphishing Service, Protocol Tunneling, Proxy, Remote Access Software, Remote Services: Cloud Services, Valid Accounts: Cloud Accounts, Web Service, Windows Management Instrumentation

How can organizations protect against Spearphishing Voice?

Healthcare organizations and service providers need to implement various detection methods,  policies, and procedures to validate the users requesting a password reset or mobile device enrollment.

Helpdesk agents need to employ atmost judgement as the adversary will employ manipulation techniques to bypass the call-back authentication or verification process in place.

Monitor call logs from corporate devices to identify patterns of potential voice phishing, such as calls to/from known malicious phone numbers. Correlate these records with system events.

  • Enable  logging of events, messaging, and other artifacts provided by third-party services ( ex: metrics, errors, and/or alerts )
  • Monitor the events and alerts 24X7X365 using Security Operation Center (SOC)
  • Ensure to use of security systems that can tag events from NDR, EDR, SIEM to MITRE ATT&CK framework and are able to predict the later movement quickly

Users can be trained to identify and report social engineering techniques and spearphishing attempts, while also being suspicious of and verifying the identity of callers.

  • Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.
  • Periodic security awareness training and tabletop exercises can help users understand the impact and mitigation procedures.
  • Reviewing process and having escalation procedures for confirming incoming requests through an independent platform like a phone call or in-person, to reduce risk.

Related posts

View all blogs
Managed Security Services
5 min read

Fortuna Cysec Named to CRN’s 2025 Security 100 List

Fortuna Cysec a global cybersecurity company, today announced that CRN®, a brand of The Channel Company, has recognized Fortuna Cysec on its Managed Service Provider (MSP) 500 list in the Security 100 category for 2025.

READ BLOG
Managed Security Services
5 min read

The Evolution of SIEM: From Perimeter Defense to Unified Threat Prediction, Prevention, and Protection

Over the past 15 years, I have watched how Security Information and Event Management (SIEM) solutions have transformed from a promising concept—the single pane of glass for IT visibility—to a technology that faced limitations in a traditional, hardware-based security era. With the advent of cloud computing, IoT, remote work, and a shift toward application-based security, the need for a modern, unified platform has become critical. This research paper explores the evolution of SIEM, the key technological shifts that have reshaped the security landscape, and how Fortuna Cysec’s the Fense platform represents the ultimate evolution of SIEM by integrating XDR, SIEM, SOAR, and compliance into a single managed solution.

READ BLOG
Managed Security Services
5 min read

NOC vs. SOC: Understanding the Key Differences in Cybersecurity Operations

In today's evolving threat landscape, organizations must ensure both network performance and cybersecurity resilience. This is where the Network Operations Center (NOC) and the Security Operations Center (SOC) come into play. While both play critical roles in IT infrastructure, they serve distinct purposes. Understanding the difference between NOC and SOC is essential for organizations looking to enhance their managed security services and cyber threat response.

READ BLOG
Managed Security Services
5 min read

The Difference Between a Cybersecurity Audit and Assessment: What Your Business Needs & When

In today's rapidly evolving threat landscape, organizations must take a proactive approach to cybersecurity. However, terms like "audit" and "assessment" are often used interchangeably, creating confusion about what each entails and when they should be conducted. At Fortuna Cysec, we provide both cybersecurity audits and risk assessments to help businesses stay compliant, secure, and resilient. Understanding the difference is critical to making the right choice for your organization.

READ BLOG

Ready to get secured?

Talk to our experts to get One Managed Platform for all your cybersecurity needs.

Contact Sales