Kaspersky: Trusted Relationship Attacks Increasing

New Kaspersky research details growing threats from trusted relationship attacks and message board scams.

In trusted relationship attacks, threat actors are targeting organizations through contractors and external IT service providers, according to Kaspersky’s research. In 2023, these cyberattacks ranked among the top three most frequently used attack vectors.

Attackers first gain access to the service provider's network; then, if they manage to obtain active credentials for connecting to the target organization's network, they infiltrate the target infrastructure. In most cases, contractors are SMBs that are less protected than large enterprises. This is also why IT service providers attract the attention of attackers.

The trusted relationship vector is attractive for attackers because it allows them to carry out large-scale attacks with significantly less effort than other vectors, according to Kaspersky.

Victims of Trusted Relationship Attacks

Alina Sukhanova, senior incident response specialist at Kaspersky, said various organizations, despite their size and industry, face such an attack vector, but most of the incidents occurred in the government, industrial and financial industries.

Kaspersky's Alina Sukhanova

“A distinctive feature of trusted relationship attacks is the way attackers get initial access to victim organizations, by compromising a service provider with already established, legitimate access to victim organizations' infrastructures,” she said. “There are no impact differences between trusted relationships and other types of attacks. Most attacks nowadays tend to be ransomware with data encryption and/or data leakage, while other types – espionage, money theft, etc. – are the minority."

Related:Kaspersky Unveils United Partner Program Updates

The results of Kaspersky’s incident investigations indicate that in the overwhelming majority of cases, antivirus solutions detected malicious activity, but the antivirus verdicts were not paid due attention.

“Therefore, if you have an in-house incident response team, keep them alert through training and cyber exercises,” Kaspersky said. “If you don’t have one, subscribe to incident response services from a provider who can guarantee the necessary service level via appropriate SLA.”

Message Board Scams

Separately, in a post on message board scams, Kaspersky researchers describe how scammers target buyers and sellers on online message boards.

Kaspersky describes two main fraudulent schemes it observes. The first one is when a scammer impersonates the seller and offers to ship an item to the buyer. In the other, the scammer poses as the buyer and deceives the seller by claiming to have already paid for the item.

Scammers have several criteria for selecting potential victims. Primarily, they are drawn to ads that sellers have paid to promote. Such ads usually appear at the top of search results and are marked as sponsored. They attract scammers for two reasons. First, a seller who pays for promotion is more likely to have money. And second, they are probably looking for a quick sale.

Besides the sponsor label, attackers look at the photos in the ad. If they are of professional quality, it is most likely an offer from a store. Scammers are not interested in such ads.

Lastly, attackers need sellers who use a third-party messenger and are willing to provide a phone number. This information becomes known only after contact is made.

Scammers Won’t Waste Time

If the victim starts to quibble about the payment method, the scammer simply vanishes so as not to waste time. If the seller wants to continue negotiations on the marketplace’s official website, the attacker concludes they’re unlikely to click the phishing link and begins searching for a new victim.

However, if the victim clicks the link and enters their card details, the scammers siphon off all available funds. The price of the item is irrelevant. Even if the amount asked for in the ad was insignificant, the attackers will steal whatever they can.

Dmitry Kachan, lead incident manager at Kaspersky, said trusted relationship attacks will increase in the coming months.

“The growth in the number of such attacks is also affected by the growth of the IT outsourcing market worldwide,” he said. “Moreover, in most cases service providers are SMBs that are less protected than large enterprises. And, last but not least, the use of such an attack vector allows cybercriminals to optimize resources for gaining initial footprint in victim organizations and invest more resources in ransom or other types of business impact.”