Social engineering is hardly a new concept, even in the world of cybersecurity. Phishing scams alone have been around for nearly 30 years, with attackers consistently finding new ways to entice victims into clicking a link, downloading a file, or providing sensitive information.
Business email compromise (BEC) attacks iterated on this concept by having the attacker gain access to a legitimate email account and impersonate its owner. Attackers reason that victims won’t question an email that comes from a trusted source — and all too often, they’re right.
But email isn’t the only effective means cybercriminals use to engage in social engineering attacks. Modern businesses rely on a range of digital applications, from cloud services and VPNs to communications tools and financial services. What’s more, these applications are interconnected, so an attacker who can compromise one can compromise others, too. Organizations can’t afford to focus exclusively on phishing and BEC attacks — not when business application compromise (BAC) is on the rise.
Targeting Single Sign-on
Businesses use digital applications because they’re helpful and convenient. In the age of remote work, employees need access to critical tools and resources from a wide range of locations and devices. Applications can streamline workflows, increase access to critical information, and make it easier for employees to do their jobs. An individual department within an organization might use dozens of applications, while the average company uses more than 200. Unfortunately, security and IT departments don’t always know about — let alone approve of — these applications, making oversight a problem.
Authentication is another issue. Creating (and remembering) unique username and password combinations can be a challenge for anyone who uses dozens of different apps to do their job. Using a password manager is one solution, but it can be difficult for IT to enforce. Instead, many companies streamline their authentication processes through single sign-on (SSO) solutions, which allow employees to sign into an approved account once for access to all connected applications and services. But because SSO services give users easy access to dozens (or even hundreds) of business applications, they are high-value targets for attackers. SSO providers have security features and capabilities of their own, of course — but human error remains a difficult problem to solve.
Social Engineering, Evolved
Many applications — and certainly most SSO solutions — have multifactor authentication (MFA). This makes it more difficult for attackers to compromise an account, but it’s certainly not impossible. MFA can be annoying to users, who may have to use it to sign into accounts multiple times a day — leading to impatience and, sometimes, carelessness.
Some MFA solutions require the user to input a code or show their fingerprint. Others simply ask, “Is this you?” The latter, while easier for the user, gives attackers room to operate. An attacker who already obtained a set of user credentials might try to log in multiple times, despite knowing that the account is MFA-protected. By spamming the user’s phone with MFA authentication requests, attackers increase the victim’s alert fatigue. Many victims, upon receiving a deluge of requests, assume IT is attempting to access the account or click “approve” simply to stop the flood of notifications. People are easily annoyed, and attackers are using this to their advantage.
In many ways, this makes BAC easier to accomplish than BEC. Adversaries engaging in BAC just need to pester their victims into making a bad decision. And by targeting identity and SSO providers, attackers can gain access to potentially dozens of different applications, including HR and payroll services. Commonly used applications like Workday are often accessed using SSO, allowing attackers to engage in activities such as direct deposit and payroll fraud that can funnel funds directly into their own accounts.
This kind of activity can easily go unnoticed — which is why it’s important to have in-network detection tools in place that can identify suspicious behavior, even from an authorized user account. In addition, businesses should prioritize the use of phish-resistant Fast Identity Online (FIDO) security keys when using MFA. If FIDO-only factors for MFA are unrealistic, the next best thing is to disable email, SMS, voice, and time-based one-time passwords (TOTPs) in favor of push notifications, then configure MFA or identity provider policies to restrict access to managed devices as an added layer of security.
Prioritizing BAC Prevention
Recent research indicates that BEC or BAC tactics are used in 51% of all incidents. While lesser known than BEC, successful BAC grants attackers access to a wide range of business and personal applications associated with the account. Social engineering remains a high-return tool for today’s attackers — one that’s evolved alongside the security technologies designed to stop it.
Modern businesses must educate their employees, teaching them how to recognize the signs of a potential scam and where to report it. With businesses using more applications each year, employees must work hand-in-hand with their security teams to help systems remain protected against increasingly devious attackers.