A new threat group is targeting business process outsourcers (BPOs) and large enterprises for extortion using live chat channels, Google has warned.
Google Threat Intelligence Group (GTIG) principal threat analyst, Austin Larsen, said UNC6783 is a financially motivated threat cluster that may be tied to the “Raccoon” persona.
The group has targeted several dozen “high-value corporate entities” across multiple sectors – focusing mainly on their BPOs, but sometimes also hitting their in-house helpdesk and support teams directly.
The end goal is to steal sensitive data for extortion, Larsen explained.
Read more on helpdesk targeting: Scattered Spider Uses Tech Vendor Impersonation and Phishing Kits to Target Helpdesks
“The campaign relies on social engineering via live chat to direct employees to malicious, spoofed Okta login pages. These domains frequently masquerade as the targeted organization using a domain pattern such as [.]zendesk-support<##>[.]com,” Larsen noted.
“Their phishing kit is used to bypass standard multi-factor authentication (MFA) verification by stealing clipboard contents, which then allows the attackers to enroll their own devices for persistent access.”
Alternatively, the GTIG team has also observed UNC6783 using fake security software updates to trick users into downloading remote access malware. It sometimes uses Proton Mail accounts to deliver ransom notes following data exfiltration, Larsen continued.
The tactics are not dissimilar to those of notorious extortion-focused collective Scattered Lapsus$ Hunters.
Last year, reports emerged of a campaign using Zendesk phishing domains to harvest employee credentials. The hackers also submitted fraudulent tickets to helpdesk staff to infect them with remote access trojans (RATs) and other types of malware.
Advice for BPOs and Helpdesk Staff
GTIG’s Larsen urged organizations to:
- Implement phishing-resistant MFA such as FIDO2 hardware security keys (e.g. Titan Security Keys) for all users, especially those in high-risk roles like support and helpdesk
- Monitor live chat for suspicious interactions such as those directing users to external links
- Educate employees on this specific campaign
- Proactively block any unauthorized domains with the [.]zendesk-support[.]com pattern
- Monitor for unauthorized binary execution, especially installers or “updates” downloaded during support sessions
- Regularly audit newly enrolled MFA devices across the organization for unauthorized additions
