Google Warns of New Threat Group Targeting BPOs and Helpdesks

News

Written by

Photo of Phil Muncaster

Phil Muncaster

UK / EMEA News Reporter, Infosecurity Magazine

A new threat group is targeting business process outsourcers (BPOs) and large enterprises for extortion using live chat channels, Google has warned.

Google Threat Intelligence Group (GTIG) principal threat analyst, Austin Larsen, said UNC6783 is a financially motivated threat cluster that may be tied to the “Raccoon” persona.

The group has targeted several dozen “high-value corporate entities” across multiple sectors – focusing mainly on their BPOs, but sometimes also hitting their in-house helpdesk and support teams directly.

The end goal is to steal sensitive data for extortion, Larsen explained.

Read more on helpdesk targeting: Scattered Spider Uses Tech Vendor Impersonation and Phishing Kits to Target Helpdesks

“The campaign relies on social engineering via live chat to direct employees to malicious, spoofed Okta login pages. These domains frequently masquerade as the targeted organization using a domain pattern such as [.]zendesk-support<##>[.]com,” Larsen noted.

“Their phishing kit is used to bypass standard multi-factor authentication (MFA) verification by stealing clipboard contents, which then allows the attackers to enroll their own devices for persistent access.”

Alternatively, the GTIG team has also observed UNC6783 using fake security software updates to trick users into downloading remote access malware. It sometimes uses Proton Mail accounts to deliver ransom notes following data exfiltration, Larsen continued.

The tactics are not dissimilar to those of notorious extortion-focused collective Scattered Lapsus$ Hunters.

Last year, reports emerged of a campaign using Zendesk phishing domains to harvest employee credentials. The hackers also submitted fraudulent tickets to helpdesk staff to infect them with remote access trojans (RATs) and other types of malware.

Advice for BPOs and Helpdesk Staff

GTIG’s Larsen urged organizations to:

  • Implement phishing-resistant MFA such as FIDO2 hardware security keys (e.g. Titan Security Keys) for all users, especially those in high-risk roles like support and helpdesk
  • Monitor live chat for suspicious interactions such as those directing users to external links
  • Educate employees on this specific campaign
  • Proactively block any unauthorized domains with the [.]zendesk-support[.]com pattern
  • Monitor for unauthorized binary execution, especially installers or "updates" downloaded during support sessions
  • Regularly audit newly enrolled MFA devices across the organization for unauthorized additions

You may also like

  1. Okta Flags Customized, Reactive Vishing Attacks Which Bypass MFA

    News

  2. Crafting Scams with AI: a Devastating New Vector

    Blog

  3. Scattered Lapsus$ Hunters Take Aim At Zendesk Users

    News

  4. Ongoing Phishing Campaign is Targeting UN and NGOs

    News

  5. Mega-Breach Database Exposes 26 Billion Records

    News

What’s Hot on Infosecurity Magazine?