Customer service centers, commonly known as call centers and IT support teams, often referred to as help desks, are becoming an increasingly popular target for threat actors to infiltrate organizations through social engineering. These employee groups typically possess elevated privileges to access information systems and personally identifiable information (PII) and are considered high-value targets by threat actors.
The recent attack on MGM Resorts International, which impacted company systems and operations across all 31 of their resorts, is one of the most recent examples of attackers exploiting human vulnerabilities to gain initial access to infrastructure. In this attack, the threat actors leveraged information they had found on employees. More recently, Okta, a provider of identity and authentication services, issued a warning to its customers about an ongoing and sophisticated social engineering attack targeting IT service desk employees and eventually reported that hackers stole data for ALL customer support users.
These communication hubs are critical in handling sensitive information, making them attractive targets for cybercriminals. Understanding the methods of these attackers and their motives and implementing robust cybersecurity measures is essential for organizations to protect their data and maintain their reputation.
Most recurring tactics, techniques, and procedures used by threat actors in these scenarios
Social engineering attacks that target or impersonate call center staff often rely on a blend of psychological manipulation and technical expertise.
1. Information Gathering
Threat actors usually conduct extensive research and open-source intelligence (OINST) reconnaissance on the open, deep, and dark web to gather information about the organization, its employees, and its processes. This information is used to make their approach more convincing. Call center employees who overshare information on social media and misconfigure privacy settings make the deep web not so deep. Low social media operational security leaves the door open to easy information gathering and social engineering.
2. Pretexting
This involves the creation of a fabricated scenario or pretext to engage call center staff based on the information they have gathered about an organization and its employees. The attacker might pretend to be a customer, a vendor, or an internal employee. The goal is to establish legitimacy and gain the trust of the call center staff.
3. Phishing and Vishing
Phishing, typically via email, and vishing, via phone calls, are common. In these attacks, the threat actor might impersonate legitimate entities to trick call center staff into revealing sensitive information, like customer data or login credentials. This is typically accomplished by tricking staff into clicking on a seemingly legitimate URL for a service they regularly use, asking them to log in so they can steal their login credentials.
4. Caller ID Spoofing
Attackers often use technology to spoof caller ID, making it appear as if their call is coming from a legitimate source, like a known customer or an internal phone number. This helps in bypassing initial skepticism from the call center staff.
5. Psychological Manipulation
Techniques like urgency, fear, authority, and social proof are used to manipulate call center staff. For example, an attacker might create a sense of urgency to bypass normal verification procedures.
6. Exploiting Call Center Scripts
Attackers might exploit the predictable nature of call center scripts to navigate the conversation in a way that aids their malicious intent.
7. Reverse Social Engineering
In some cases, attackers position themselves as a source of help or authority, leading call center staff to reach out to them, thus unwittingly initiating contact with the attacker.
8. Baiting
This can involve offering something enticing to the call center or IT Help Desk staff, like a seemingly innocent link or document, which, when accessed, can lead to a security breach. Baiting in the physical security world can involve pen drives left at a parking lot or anywhere a call center employee may find them and, if accessed, compromise the device and the network.
9. Credential Stuffing
Like most employees in any department, call center employees may reuse work and personal passwords across different applications. This creates a risk in the organization: threat actors use breached credentials obtained in the dark web to conduct credential stuffing attacks to gain initial access via valid credentials.
10. Deepfakes and Voice Synthesis
Advanced attackers might use AI-generated voice imitation or deepfakes to impersonate specific individuals, making the deception more convincing.
Motives Behind Attacks on Contact Centers and Technical Support
The primary motive is usually financial gain, but motives can also include espionage, sabotage, or disruption. By targeting these centers, attackers aim to:
- Steal customer or business information
- Gain unauthorized access to systems
- Divert financial transactions
- Damage the organization’s reputation
Cybersecurity Measures for Contact and Support Centers
1. Training and Awareness
Regular training sessions help staff recognize signs of social engineering attacks, which is crucial for those in customer care and support roles.
2. Robust Verification Processes
Stringent verification for requests, especially in customer service and technical support roles, is essential for preventing unauthorized actions.
3. Limiting Information Disclosure
Educating staff about the dangers of over-sharing information is vital in every customer interaction and support center.
4. Open, Deep, and Dark Web Monitoring
Staying vigilant to detect indicators of attack and compromise is key to enabling preventive remediations.
5. Data Broker Takedowns
Continuously taking down exposed PII of employees and executives more likely to be targeted or impersonated minimizes the human attack surface and ensures the organization’s digital footprint is an asset, not a liability.
6. Breached Credential Reuse Protection
Personalizing automated protection against the reuse of breached passwords within the organization proactively neutralizes credential stuffing attacks.
7. Regular Policy Reviews
Policies should be regularly reviewed to address new threats, an essential practice for any customer support center.
8. Security Culture
Creating a culture where security is everyone’s responsibility is key, especially in environments like IT support and troubleshooting teams.
9. Advanced Security Technologies for Call Centers
Investing in technologies like AI-driven threat detection and secure voice biometrics can provide an additional layer of protection in customer interaction centers.
10. Simulated Attacks for Readiness Assessment
Conducting simulated social engineering attacks helps assess the readiness of staff in customer service and IT support settings.
Conclusion
The threat of social engineering against customer service centers and IT support teams requires continuous vigilance and a proactive stance. Organizations can significantly reduce risk and protect critical assets by understanding these threats and implementing comprehensive preventive measures. The recent attacks against MGM Resorts International and Okta are an indication of how severe the impact of social engineering attacks against help desks can be. It is important to acknowledge that the vast majority of cyber attacks begin with OSINT reconnaissance and social engineering. Understanding how threat actors operate pre-attack is key to a human-centric security strategy.
About Picnic
Picnic’s Digital Risk Protection Services protect those call center executives, employees, and contractors that threat actors will consider high-value targets of social engineering attacks. Picnic uses its proprietary technology to identify and analyze human risk and deliver prioritized remediations proactively and continuously without any effort on the part of the customer. Learn why and how we do it in this video presentation below.
Become a Subscriber to receive timely articles on human-centric security issues: