CISA Warns of Refund Scams Using Remote Management Software

Category: Threat Actor Activity | Industry: Global | Level: Tactical | Source: CISA

United States agencies the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint advisory warning of a refund scam run by cybercriminals to steal victim's bank accounts through legitimate remote monitoring and management (RMM) software such as ScreenConnect (now ConnectWise Control) and AnyDesk. By using portable RMM software executables, the attacker is able to gain local user access without the need for admin privileges or a complete software installation, this enables them to bypass software and risk controls. Starting in June 2022, at least two instances of the campaign were discovered in federal offices using help desk themes in the phishing email. Domains used in this scam impersonate well-known brands such as Amazon, Microsoft, McAfee, Paypal, Norton, GeekSupport, and Geek Squad.

An outline of the attack documented by CISA follows a successful installation and connection of the RMM software, “They first connected to the recipient’s system and enticed the recipient to log into their bank account while remaining connected to the system. The actors then used their access through the RMM software to modify the recipient’s bank account summary. The falsely modified bank account summary showed the recipient was mistakenly refunded an excess amount of money. The actors then instructed the recipient to ‘refund’ this excess amount to the scam operator.” While a clear financial motive is present, CISA warns the threat can extend beyond financial gain as the access obtained by the threat actor can lead to the sale of access to other cybercrime groups.

Anvilogic Use Cases:

• AnyDesk Command Line Execution
• Remote Access Software Execution
• Network Connection with Suspicious Folder

‍