As if working at Helldesk weren't bad enough, IT helpers now targeted by cybercrims

Wave of Okta attacks mark what researchers are calling the biggest security trend of the year

IT helpdesk workers are increasingly the target of cybercriminals – a trend researchers have described as "the most noteworthy" of the past year.

It's not a novel phenomenon, nor is it being carried out in a very sophisticated way, Red Canary's latest threat report notes, yet the trend is growing and miscreants are seeing greater rates of success.

Keen infosec watchers will remember last year that the ransomware attack at MGM Resorts was, per the attacker's own account of the situation (make of that what you will), orchestrated by phishing an IT helpdesk worker in just the space of 10 minutes.

The same cybercriminals, tracked by the Scattered Spider moniker, used the same tactics with a spate of other Okta customers too, in what became one of the biggest security sagas of 2023.

Red Canary says these types of attacks are usually pulled off by cybercrims phoning an organization's helpdesk while pretending to be an employee. They often request changes to be made to identity and access management controls so they can assume control of a targeted organizational user account – tasks that are routinely carried out by helpdesk staff.

Once the attacker registers their own mobile device to the account, enabling them to completely control the authentication chain and cement their insider access, later stages of the operation can take place. They can identify key targets such as other, more privileged users, steal data from SaaS apps, switch to cryptomining via cloud resources, or embark on destructive attacks.

"The increasing prevalence of these attacks against the help desk behooves IT and security teams to place increased scrutiny on securing and properly permissioning help desk accounts, as adversaries are clearly keen on abusing them to reset the passwords and MFA registrations of high-value accounts," the report reads.

Helpdesk-based phishing works the other way too. Researchers continue to see cases of helpdesk staff being imitated by attackers to phish other employees – a role reversal to the aforementioned trend.

Working under the guise of a perceived sense of legitimacy, trustworthiness, and authority, attackers can request access and multi-factor authentication (MFA) codes from users which can then be used to hijack accounts. From there, later-stage attacks similar to the ones when the roles are reversed can be carried out.

Red Canary suggests that more thoughtful ways of combating these types of attacks need to be deployed within organizations. User and staff education programs are already widespread in many organizations, but it's clear the same problems recur and are becoming increasingly taxing.

The researchers offered a number of ideas to make employee-helpdesk interactions more secure and verifiable:

  • Requiring employees to verify their identity by sending information that couldn't easily be sourced by remote attackers, such as the serial number of their company-issued computer. Included in this is personally identifiable information that again couldn't be sourced online

  • Establishing a specific passphrase for organization staff, a shared secret, to use to verify they are actually the user behind the screen

  • Verify identities via video calls, with helpdesk staff having a visual directory of all staff members to use as a reference

  • Ask questions about employees' working behavior such as what apps they had open at a specific time, or what time they logged in that morning

  • Verify staff members' identity through a third party such as their manager, who may be in the office with them to verify in person that they made the support request

As always when it comes to phishing, the first port of call for any organization should be to implement a robust MFA policy. But, as the rise in helpdesk phishing attacks shows, they can't be relied upon solely and almost always have some way to circumvent them.

"Balancing user-friendly access with secure connectivity is always challenging, and leaning too much towards convenience can pose significant risks," said Red Canary. 

"Almost every MFA factor has some sort of weakness and a bypass technique associated with it. Simply being mindful of these vulnerabilities is important when determining which MFA implementation to choose. While responding to an incident, being aware of these types of bypasses may expand your investigation into areas and log sources that may not initially be part of your breach response playbooks." ®

More about


Send us news

Other stories you might like