Why attackers are impersonating IT security teams

Egress | 18th Oct 2022

An impersonation attack is a phishing attack where an attacker impersonates a legitimate sender to try and trick recipients into handing over money or sensitive information that they can use to exploit people or gain further access to the organization. 

It’s common for attackers to impersonate IT security teams because they are a trusted authority within an organization. This means recipients are more likely to trust them and comply with their requests, especially if they seem urgent. 

How impersonation attacks work

Impersonation attacks can be difficult to detect. To appear more authentic and familiar, attackers may research their victims online to learn more about them, including some of this information in their message.

Once they have established familiarity, they may request the recipient to click a link, share their password, or relinquish remote control to the attacker. Some impersonation attacks are also used to deliver malware to systems.

Signs of an impersonation attack to look out for

Some typical signs of an impersonation attack include:

  • Using email addresses very similar to the real IT security team they are trying to impersonate, such as writing the letter ‘m’ as ‘rn.’
  • Urgent requests from a  ‘known’ sender that pressure employees to act quickly. 
  • Emphasizing that the email contents should remain confidential and the recipient shouldn’t share them with their manager or the rest of the team.

Uber’s recent data breach: a successful IT security team impersonation attack

A recent high-profile example of a hacker successfully impersonating an IT security team was Uber’s data breach in September 2022. In this case, the attacker managed to access a contractor’s login credentials. 

Because the contractor had multi-factor authentication (MFA) set up on their account, the attacker could not gain immediate access. The attacker messaged the contractor on WhatsApp to get around this, impersonating an employee from Uber’s IT department. The attacker asked the contractor to confirm a remote login to their account in these messages. 

The contractor believed this was a genuine request and confirmed it, providing the attacker with an entry point onto Uber’s VPN. From there, the attacker could scan the intranet to access admin credentials. 

According to a statement by Uber, the attacker did not steal sensitive information. However, given their level of access, the attacker could have wreaked havoc on the organization.

Other types of impersonation attacks

IT security team impersonation is just one type of impersonation attack cybercriminals use to attempt to penetrate an organization’s defenses. There are several other impersonation attacks, each serving a slightly different purpose.

  • CEO impersonation typically involves attackers trying to trick recipients into transferring money into another bank account or revealing sensitive details, such as confidential HR information. This is often done using name spoofing, in which the attacker creates a fake email address under the name of the CEO. It’s also sometimes done using name and email spoofing, in which the attacker uses the real name and email of the CEO but a different reply-to address so that responses are sent directly to them.
  • Vendor impersonation involves attackers impersonating companies within an organization’s supply chain. Attackers request that email recipients call or text a number to resolve a problem then convince them to install remote access software on their devices.
  • Microsoft impersonation is where attackers attempt to steal access to peoples’ Microsoft accounts. The rise in remote working has led to an increase in this type of impersonation, as accessing a Microsoft account can give attackers into sensitive documents and other Microsoft programs.

Preventing impersonation attacks within your organization 

Impersonation attacks are particularly difficult to prevent because they capitalize on humans making mistakes. Organizations should use the recent Uber attack as a warning to show just how easy it can be for attackers to bypass MFA. 

While security awareness and training (SA&T) is a good way to encourage employees to spot suspicious emails, it is not enough on its own. No matter how much training you provide, humans will always make mistakes. Working in a high-pressure environment or having a heavy workload exacerbates this risk.

The most effective way to reduce the number of successful impersonation attacks within your organization is to augment training and existing defenses with intelligent phishing detection tools. Egress Defend combines machine learning, social graphs, and natural language processing techniques to detect advanced threats that have managed to evade existing defenses. 

Learn more about how Egress Defend can help to protect your organization against advanced impersonation attacks.