August 22, 2016 by Canadian Underwriter
Cybercriminals are using insiders to gain access to telecommunications networks and subscriber data, according to an intelligence report from global cybersecurity company Kaspersky Lab.
In addition to targetting insiders, these criminals are also recruiting disillusioned employees through underground channels and blackmailing staff using compromising information gathered from open sources, Kaspersky said in a press release on Monday.
Telecommunications providers are a top target for cyberattacks, with research by Kaspersky and B2B International revealing that 28% of all cyberattacks and 38% of targeted attacks now involving malicious activity by insiders. Telecommunications providers operate and manage the world’s networks, voice and data transmissions and store vast amounts of sensitive data, making them a highly attractive target for cybercriminals in search of financial gain, nation-state sponsored actors launching targetted attacks and their competitors.
To achieve their goals, cybercriminals often use insiders as part of their malicious “toolset,” in order to help them breach the perimeter of a telecommunications company and perpetrate their crimes. According to Kaspersky Lab researchers, attackers engage or entrap telecom employees by using “publicly available or previously stolen data sources to find compromising information on employees of the company they want to hack.” Then, they blackmail targeted individuals – forcing them to hand over their corporate credentials, provide information on internal systems or distribute spear-phishing attacks on their behalf.
Criminals also recruit willing insiders through underground message boards or through the services of “underground recruiters,” the release said. These insiders receive pay for their services and may have to identify co-workers for the criminals to proposition or blackmail.
Blackmailing grew in popularity following recent online data breaches, including the Ashley Madison leak, as these provide attackers with material they can use to threaten or embarrass individuals, Kaspersky said in the release. In fact, data-leak related extortion has now become so widespread that the Federal Bureau of Investigation issued a Public Service Announcement on June 1, warning consumers of the risk and its potential impact. “The recipients are told that personal information, such as their name, phone number, address, credit card information and other personal details, will be released to the recipient’s social media contacts, family, and friends if a ransom is not paid,” the PSA said. The recipient is instructed to pay in Bitcoin, a virtual currency that provides a high degree of anonymity to the transactions. Recipients are typically given a short deadline, and the ransom usually ranges from about US$250 to US$1,200.
The intelligence report also noted that if an attack on a cellular service provider is planned, criminals will seek out employees who can provide fast track access to subscriber and company data or SIM card duplication/illegal reissuing. If the target is an Internet service provider, the attackers will try to identify the employees who can enable network mapping and “man-in-the-middle” attacks.
However, insider threats can take all forms, Kaspersky said. Company researchers noted two non-typical examples, one of which involved a rogue telecom employee leaking 70 million prison inmate calls, many of which breached client-attorney privilege. In another example, on a popular DarkNet forum, an SMS centre support engineer was advertising their ability to intercept messages containing one-time passwords for the two-step authentication required to login to customer accounts at a popular fintech company.
“The human factor is often the weakest link in corporate IT security,” said Denis Gorchakov, security expert with Kaspersky Lab, in the release. “Technology alone is rarely enough to completely protect the organization in world where attackers don’t hesitate to exploit insider vulnerability. Companies can start by looking at themselves the way an attacker would. If vacancies carrying your company name, or some of your data, start appearing on underground message boards, then somebody, somewhere has you in their sights. And the sooner you know about it the better you can prepare.”