Armor Finds Payroll Attacks in Southeastern U.S.
Armor’s Threat Resistance Unit (TRU) checked for possible additional payroll-related attacks after hackers nabbed almost $500,000 from the payroll department of the city of Tallahassee, Florida. They found two other payroll-related cyberattacks: a February ransomware attack targeting Atlanta-based payroll software technology provider Apex Human Capital Management; and a March cyberattack targeting the Thomas County School System in Thomasville, Georgia.
The Armor researchers said that it is interesting that all three incidents came rapidly on the heels of the massive “Collection #1” data dump discovered in January. But they also said they are unaware of any connection between these payroll-related attacks.
The FBI’s Internet Crime Complaint Center (IC3) issued a warning last September on an uptick in the use of social engineering to steal user or admin credentials for payroll-related attacks. The FBI says the most common targets are payroll departments in institutions in the education, health care,and commercial airway transportation industries.
The IC3 recommends the following actions to prevent paycheck diversions to criminals:
- Alert and educate your workforce about this scheme, including preventive strategies and appropriate reactive measures should a breach occur.
- Instruct employees to hover their cursor over hyperlinks included in emails they receive to view the actual URL. Ensure the URL is actually related to or associated with the company it purports to be from.
- Instruct employees to refrain from supplying login credentials or personally identifying information in response to any email.
- Direct employees to forward suspicious requests for personal information to the information technology or human resources department.
- Ensure that login credentials used for payroll purposes differ from those used for other purposes, such as employee surveys.
- Apply heightened scrutiny to bank information initiated by employees seeking to update or change direct deposit credentials.
- Monitor employee logins that occur outside normal business hours.
- Restrict access to the Internet on systems handling sensitive information or implement two-factor authentication for access to sensitive systems and information.
- Only allow required processes to run on systems handling sensitive information.
“Whether critical systems and data are in the cloud or on-premises, controlling access and maintaining security hygiene are necessary parts of keeping them safe, and that pertains to not only the organization itself but to all of the entity’s third-party vendors and partners,” said Eric Sifford, TRU security researcher.