Payroll pirates now causing havoc in more industries
“They’re certainly some kind of cybercrime organization or fraud organization that is doing this at scale,” says Okta Threat Intelligence VP Brett Winterford.
• less than 3 min read
Brianna Monsanto is a reporter for IT Brew who covers news about cybersecurity, cloud computing, and strategic IT decisions made at different companies.
IT help desks need to brace for an evolving threat that sounds like an unofficial sequel to the Pirates of the Caribbean franchise.
In December, Okta Threat Intelligence released a threat advisory detailing how malicious actors can gain unauthorized access to payroll software. These threats are widely known as payroll pirate attacks.
Pirates of the payroll. According to VP of Okta Threat Intelligence Brett Winterford, these attacks often began with adversaries calling a company’s help desk, posing as a user and requesting a password reset.
“Typically, what the adversary will do is then come back to the help desk, probably to someone else on the phone, and say, ‘Well, I have my password, but I need my MFA factor reset,’” Winterford said. “And then they enroll their own MFA factor, and from there, gain access to those payroll applications for the purposes of committing fraud.”
The attackers are operating at scale and are leveraging several different services and devices to aid their nefarious activities, Winterford added.
“They’re certainly some kind of cybercrime organization or fraud organization that is doing this at scale,” Winterford said, adding that Okta believes the group is based out of West Africa.
So we meet again. IT Brew previously reported on the rise of payroll pirates in the education sector (Okta Threat Intelligence tracked this threat as “O-TA-54”). Okta Threat Intelligence notes payroll pirate schemes are happening across other industries as well, including the manufacturing and retail sector.
“It’s not often you’ll see a huge number of targets in two distinct industries,” Winterford said. “I can’t tell you why, but education [and] manufacturing were massively targeted.”
How to batten down the hatches. Okta advises organizations to establish a standard process for vetting the identity of users who contact the help desk for support. Winterford suggested organizations that rely on outsourced IT help should restrict their help desks’ ability to reset user passwords without proper guardrails: “In some organizations, they’re relying on nothing but passwords to get access to payroll systems, which is madness.”
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.