Social Engineering Methods Continue to Evolve! – Technologist

Cyber security experts have uncovered a concerning trend in Black Basta’s tactics in an alarming new investigation. The cyber criminal gang leverages Microsoft Teams and malicious QR codes to penetrate systems with highly targeted social engineering techniques. Here’s an in-depth look at their evolving strategies and how your organisation can defend against these threats.

What’s the Cyber Threat?

Black Basta, known for deploying ransomware via sophisticated social engineering, has escalated its approach. First, it initiates a mass email spam campaign to overwhelm users, leading them to reach out for support. The attackers then exploit this by posing as legitimate IT help-desk representatives, initially through help-desk tickets and recently via Microsoft Teams chats.

Recent developments show they are using Teams to simulate IT support by creating impersonation accounts under tenants with names like securityadminhelper.onmicrosoft.com or supportserviceadmin.onmicrosoft.com; and they’ve appeared credible enough to deceive targeted users.

Additionally, they have integrated malicious QR codes into these interactions to steer users toward downloading remote monitoring and management (RMM) tools or granting access through QuickAssist or AnyDesk.

Key Observations

• Teams Chat Impersonation: Attackers have crafted Teams accounts under Entra ID tenants mimicking help-desk staff, often with “Help Desk” or similar names centred with whitespace characters. By initiating chats through Teams, they add another layer of legitimacy that’s difficult for users to identify as malicious.
• QR Code Phishing: Black Basta has started sending QR codes disguised as corporate images, redirecting users to domains tailored to the targeted organisation (e.g., companyname.qr-s1[.]com). While the QR code’s objective remains ambiguous, it’s likely part of a broader social engineering strategy to install malware or capture credentials.
• Spam Flood and Follow-Up Vishing: Beyond Teams, they continue to deploy email spam in high volumes, sometimes exceeding 1,000 messages in an hour to a single user. This is followed by a vishing (voice phishing) call, which prompts users to download RMM tools to stop the email flood.

Defensive Recommendations

To counteract these evolving tactics, consider implementing the following safeguards:

1. Teams External Communication Controls: Limit or turn off Teams’ communication with external users to prevent these social engineering attacks. When external communication is necessary, restrict interactions to trusted domains only.
2. Enhanced Anti-Spam and Phishing Filters: Configure robust email and spam filters to prevent overwhelming users with phishing emails. Aggressive anti-spam settings can stop high-volume attacks before they reach users.
3. Monitor Teams Display Names: Black Basta’s impersonation accounts often feature “Help Desk” in display names. Search for variations in display names rather than exact matches to help detect these attempts.
4. QR Code Security Protocols: Limit QR codes for internal operations and educate employees on the risks of scanning QR codes from unknown sources.

Staying Ahead of Black Basta via Cyber Security Training

This campaign’s intensity demonstrates how swiftly Black Basta adapts its tactics. Organisations can significantly reduce risk by staying informed and training employees on the latest attacker techniques. Combining layered cyber security measures, such as intrusion detection systems and regular cyber security assessments, with vigilant, well-trained employees can protect your critical assets from these evolving threats.