“Help Desk, how can I help you?”
Author: Ross Jaffe, STeve ForetWhy the Help Desk is a Prime Target for Social Engineering Attacks
Overview
The Help Desk is a critical point of contact for many organizations, serving as the first line of defense against technical issues that employees, customers, and business partners face. To be effective, Help Desk personnel frequently hold the keys to the kingdom with access to user account management (including credentials), system configurations, and other sensitive data. Thus, the Help Desk is uniquely positioned within the organization.
It is exactly this combination of heightened access and responsibility to help end users get back to work that makes the Help Desk a prime target for bad actors, especially those engaging in social engineering attacks. Social engineering exploits human psychology, internal process checks, and internal communications rather than technical vulnerabilities, making it a particularly insidious threat that preys on the imperative of Help Desk personnel to help their users.
In this blog post, we explore:
Why is the Help Desk So Vulnerable to Social Engineering Attacks?
Types of Social Engineering Attacks Used on Help Desks
A Section on AI, Of Course
Beyond the Call: Other Ways to Exploit the Help Desk
Outcomes of Exploiting the Help Desk
How to Increase Security Against Social Engineering Attacks on the Help Desk
Why is the Help Desk So Vulnerable to Social Engineering Attacks?
We all know that the human element remains the weakest link in security. According to the Verizon 2024 DBIR, “the human element was a component of 68% of breaches.” While this statistic is not exclusive to the Help Desk, this part of the technology environment relies most on that human element. Moreover, the Help Desk can be leveraged indirectly by bad actors as well (more on that below).
So, what makes the Help Desk so vulnerable to social engineering?
High Volume of Requests: The sheer volume of requests and the pressure to resolve issues quickly can lead to lapses in verification procedures and judgment. Few do their best work while being pulled in multiple directions and bombarded with tasks.
Trust Factor: Help Desk personnel are trained to be helpful and accommodating, making them susceptible to manipulation by attackers posing as legitimate users. Moreover, few people want to upset an executive—or someone pretending to be an executive.
Lack of Specialized Training: While technical training is common, specific training on social engineering threats is often lacking.
Isolation from Security: The Help Desk service function emphasizes minimizing Time to Resolution and maximizing customer satisfaction. As a result, it often isn’t intertwined with cybersecurity monitoring and escalation conditions. This gives the bad actor extra comfort that their activity will be missed.
Some or all of these factors may be at play in any given organization but any one of them, combined with some form of elevated access, can make the Help Desk a prime target. A great example is the good, ol’ password reset. Password resets are common requests to the Help Desk, making technicians less suspicious of such a request. Resets are also simple and quick to complete. But that reset can give a bad actor access to the internal network!
MGM Ransomware: In 2023, attackers exploited the Help Desk by using vishing to gain access to credentials for an account with advanced privileges. From there, the attackers deployed ransomware that shut down MGM’s systems for days. The house didn’t win on that one.
Types of Social Engineering Attacks Used on Help Desks
Social engineering attacks come in various forms, each exploiting different aspects of human psychology and organizational weaknesses. Here are some of the more popular tactics:
Phishing (or Vishing): Attackers use email, phone calls, or messaging to impersonate a trusted individual or organization, tricking Help Desk staff into divulging sensitive information.
Pretexting: The attacker creates a fabricated scenario to obtain information or perform an action. For example, pretending to be a high-ranking executive needing urgent access to a system. Combine this method with phishing and you get “spear fishing” and “whaling.”
Quid Pro Quo: Offering something of value in exchange for information or access. Extortion and bribery are not uncommon either, such as bad actors offering to buy credentials outright.
Ultimately though, social engineering comes down to creativity and persistence. Bad actors understand that people are more vulnerable to manipulation than technical controls; bad actors can also reuse the same approach on multiple Help Desk technicians, the end users, or across organizations.
The Twitter Bitcoin Scam: In 2020, attackers used social engineering to gain access to Twitter's internal tools via the Help Desk. They then took over high-profile accounts, posting messages requesting Bitcoin transfers.
A Section on AI, Of Course
We’ve all heard about the introduction of new dimensions to social engineering attacks thanks to AI. One particularly concerning development is voice cloning technology, which can mimic a person’s voice with high accuracy. Some implications:
Realistic Impersonation: Attackers can convincingly impersonate executives, colleagues, or even family members with deepfakes making it difficult for Help Desk personnel to discern the fraud.
Automated Attacks: AI can be used to generate and deploy large-scale attacks, increasing the likelihood of success. Gone are the days of bad actors targeting one organization at a time.
Psychological Manipulation: The authenticity of voice cloning can create a sense of urgency or authority, compelling Help Desk personnel to bypass standard security protocols.
For a deeper dive on voice cloning, check out Stephen Bondurich’s article.
Beyond the Call: Other Ways to Exploit the Help Desk
Whether bad actors leverage perceived authority by imitating executives, learn enough about a real employee to impersonate convincingly, or simply resort to bribery or extortion, how they get Help Desk personnel to do X, Y, or Z is easy to envision. However, there are plenty of other elements of the Help Desk—both technical and human—that bad actors can leverage to execute their attacks.
What are those other elements?
Human Element: As discussed, bad actors exploit the natural helpfulness and trust of Help Desk personnel to obtain sensitive information or gain unauthorized access. But this works both ways. Users often trust Help Desk personnel implicitly. Bad actors can impersonate Help Desk personnel to trick users into revealing their credentials or installing malware. Check out Dave Catling’s story where he even calls the user he’s impersonating!
Credentials and Privileges: Bad actors can steal or misuse Help Desk credentials to access administrative tools and elevated privileges that allow them to manage user accounts, reset passwords, and access sensitive systems.
Communication Channels: Help Desk personnel use multiple communication channels, such as phone, email, and chat, which can be exploited for phishing attacks or other social engineering tactics. The confusion alone that can result puts personnel at a disadvantage and makes it more difficult to spot threats and anomalies.
Ticketing Systems & Knowledge Bases: Help Desk ticketing systems contain valuable information about user issues, system vulnerabilities, and internal processes. Internal documentation and knowledge bases maintained by the Help Desk may contain sensitive information about the organization's systems, configurations, and security protocols. Bad actors can gain insights from these tickets or manipulate them for malicious purposes or use KBAs to plan and execute attacks.
Remote Access Tools: Help Desks often use remote access tools to troubleshoot and resolve user issues. By impersonating Help Desk personnel, bad actors can get employees to hand over control of their endpoints. On the technical side, bad actors can exploit vulnerabilities in these tools to gain control over user devices or the network.
By understanding and exploiting these elements, bad actors can leverage or infiltrate Help Desk operations as a gateway to compromise the broader organization's security.
RSA Security Breach: In 2011, attackers sent phishing emails to RSA employees, eventually gaining access to the Help Desk. This led to the theft of sensitive information related to RSA’s SecurID two-factor authentication products.
Outcomes of Exploiting the Help Desk
We’ve talked a lot about what bad actors can get Help Desk personnel, employees, or others to do for them and how. But what can they actually gain from this approach?
Credential Theft: Bad actors can steal administrative credentials to gain unauthorized access to systems and data or reset credentials for any given user.
Access to Sensitive Information: Help Desks typically handle a wide range of requests that may include sensitive user information, such as personal details, financial information, and internal communications. More broadly, bad actors can gather intelligence about the organization's internal processes, weaknesses, and the overall security posture.
Network and System Access: By compromising the Help Desk, bad actors can potentially gain a foothold in the organization's network, allowing them to move laterally and access other systems and data.
Data Exfiltration: Bad actors can use the Help Desk as a conduit to exfiltrate data from the organization, either directly or by compromising other systems that store valuable information.
Service Disruption: Bad actors can disrupt the normal operations of the Help Desk, leading to downtime and affecting the organization's ability to support its users.
Installing Malware: Help Desk systems can be used to distribute malware to other parts of the organization, either by direct installation or by leveraging their access to user devices.
How to Increase Security Against Social Engineering Attacks on the Help Desk
Given the severe implications of social engineering attacks, it is crucial to implement robust security measures. In another post, we discuss best practices for building a secure help desk. For now, here are some basic strategies:
Training and Awareness: Regular training sessions on social engineering tactics and how to recognize them can significantly reduce vulnerability. Role-playing scenarios can be particularly effective.
Multi-Factor Authentication (MFA): Enforce or expand MFA for all remote and cloud access and set up MFA for critical systems and admin access. Limiting Help Desk access to sensitive systems and accounts can add an extra layer of security.
Strict Verification Procedures: Establish and enforce strict protocols for verifying the identity of anyone requesting sensitive information or system access. This can include onboarding custom information, callback procedures, or additional verification questions.
Monitor and Audit: Regularly monitor and audit Help Desk activities to detect and respond to suspicious behavior promptly.
Use of AI for Defense: Just as AI can be used for attacks, it can also be leveraged for defense. AI-driven tools can help identify unusual patterns and flag potential social engineering attempts.
Clear Communication Channels: Ensure that there are clear and secure communication channels for reporting suspicious activities and creating red flags for specific events. Encourage a culture where security concerns are taken seriously and acted upon swiftly.
Consider the End User: Help Desks support customers, employees, and business partners. Each of these user groups have different issues and levels of access. Additionally, there are important distinctions within this groups, such as high-risk and low-volume users like executives, cybersecurity personnel, and legal personnel. The below table is not exhaustive but does highlight some of the key distinctions. Understanding these differences helps tailor support strategies, security measures, and operational processes to meet the unique needs and challenges of each Help Desk type.
| Customer Help Desk | Employee Help Desk | Partner Help Desk | |
|---|---|---|---|
| Audience | Serves external customers or clients who use the organization's products or services. | Serves internal employees of the organization. | Serves business partners, vendors, and third-party collaborators. |
| Types of Issues | Product support, troubleshooting, and technical assistance. Billing inquiries, order status, and account management. Customer feedback and complaints. | IT support for hardware, software, network access, and account issues. Assistance with internal tools, applications, and system access. Onboarding and offboarding support for employees. | Integration support for connecting partner systems with the organization's systems. Access management and troubleshooting for partner-specific tools and portals. Contract and service-level agreement (SLA) management support. |
| Level of Access | Limited access to internal systems. Focus on providing support through knowledge bases, FAQs, and guided troubleshooting. | Higher level of access to internal systems and network. Ability to reset passwords, manage accounts, and configure systems. | Controlled and limited access to specific internal systems necessary for collaboration. Management of secure connections and data exchanges. |
| Interactions | Primarily external communication through phone, email, chat, and support portals. May involve handling sensitive customer data but with stringent privacy protections. | Internal communication through intranet, internal chat systems, phone, and email. Close collaboration with other IT and security teams. | Communication through dedicated partner portals, email, and phone. Regular coordination with partner management teams. |
| Security Concerns | Protection of customer data and adherence to privacy regulations. Ensuring secure communication channels. | Protection of internal systems and data. Ensuring compliance with internal security policies and procedures. Preventing unauthorized access and insider threats. | Ensuring secure data exchanges and compliance with partner agreements. Managing access controls to protect internal data and systems. Monitoring and auditing partner interactions for security compliance. |
Conclusion
The Help Desk plays a vital role in the operation of any organization but also represents a significant vulnerability when it comes to social engineering attacks. By understanding the various types of social engineering tactics, the impact of new technologies like AI, and implementing robust security measures, organizations can significantly reduce the risk of falling victim to these insidious attacks. Continuous vigilance and a proactive approach to security are essential in safeguarding the Help Desk and, by extension, the entire organization.