Attack Report: Phishing Your HR Platform in the Cloud
- Posted by
Dylan Press on November 10, 2017
Avanan’s security analysts recently tracked an increased number of attacks against cloud-based HR systems such as ADP, Workday, Zenefits and Justworks, to compromise HR accounts and redirect funds.
What they want
There are two attack flavors we detected. In both, the goal is to simply replace an employee's direct deposit information with the attacker's own, so the next paycheck drops directly into their bank account.
Unlike a wire transfer, a paycheck deposit does not need secondary approval from an accountant, CFO, or other signatory. Because banking information is stored within the HR app, no alerts are made, and the change is never seen by the HR manager.
Attackers no longer need to get their hands on your bank account in order to steal your money. They just use their own.
The visible phishing attack
The more visible of the two attacks is a targeted phishing email. In the last few weeks, have seen a number of messages in which the attacker is looking for credentials to SaaS-based HR systems, like Workday, Justworks, Zenefits or ADP. Because most every HR system offers a web-based portal, there are few that are not included.
We believe the attacks are specifically targeted because there is very little spill-over. Workday customers are getting Workday-specific emails. ADP customers are getting ADP-specific emails. It is likely that the attackers are working from a recent customer list and correlating their email addresses by domain.
Every attack used a tax or payroll deadline to increase the sense of urgency. In some cases, the email seemed to come from a government organization with text that was cut-and-pasted from a tax form. In others, the the email seemed to come from the HR application itself.
Before and during tax season, employees wouldn't be surprised by requests to log into their payroll accounts to update withholding values, check their mailing address, or confirm their 401(k) submissions. The landing pages spoof the actual landing page of the payroll system complete with working links, but then redirect to the actual HR system after the first attempt. The user assumes they've mistyped.
The invisible credential attack
In some cases, there is no email.
This parallel threat takes advantage of employees' tendency to re-use passwords.
Attackers find user credentials via another breach or purchased list and test those credentials against HR systems. There are over 1.9 billion usernames and passwords exposed via data breaches and traded on black market forums.
This attack is harder to detect because it requires much more comprehensive monitoring and analysis of the HR application, which is typically invisible to the IT team.
As always, we recommend enforcing two-factor authentication on all of your applications and informing your users about the risks of using a password more than once. Password managers take the burden out of maintaining hundreds of unique, unguessible credentials.
What can Avanan do?
While many security tools did successfully catch the phishing attempts, we monitor all SaaS for the invisible attack.
Monitoring inbound email is an important first step in defending against most attacks. We devote a tremendous number of resources to this first line of defense. But it is only one layer in a true defense-in-depth security architecture.
By monitoring all of a company's SaaS applications (including HR), we are able to see the login attempts and user events across all business applications and identify account-takeover activity immediately. For example, if a user is currently logged into one SaaS on devices in one geography, but attempts a critical type of account change from a new/different device on another SaaS, this is a sign of account-takeover. If different employees seem to be logging in from the same device, it is a sign of a targeted attack. We use machine learning tools to analyze patterns of a single employee and multiple employees within one SaaS and across all an organization's SaaS accounts. In addition, we anonymize and aggregate events across multiple organizations to see targeted attacks.
Customers purchase our product because of its account-takeover protection in the more high-profile SaaS like Office 365 and G Suite, but this is a case that few consider. Account takeover in an overlooked HR app can have real financial consequences.
We invite you to learn more about our account-takeover protection for all your SaaS.