Alert: Refund Scam Targeting Federal Agencies via RMM Software

Alert: Refund Scam Targeting Federal Agencies via RMM SoftwareAt least two federal civilian agencies were the unfortunate victims of a refund scam campaign, perpetrated through the use of remote monitoring and management (RMM) software. CISA, the NSA and the MS-ISAC discovered the campaign in October, but it appears the cybercriminals had been at work since June, and were still going strong in September.

The hackers sent phishing emails that led to the download of legitimate RMM software, which they used to steal money from victim bank accounts. It is a worrying trend, as this tactic could be used for other nefarious purposes, and could even be sold to government-backed hacking groups. 

The RMM software allows hackers to establish local user access without the need for higher administrative privileges, effectively bypassing common software controls and risk management assumptions. The phishing emails sent to employees' personal and work email addresses were help desk-themed, and contained links to malicious domains. 

The hackers used portable executables that can launch within a user's device without installation, which allowed them to attack other vulnerable machines within the local intranet and establish long-term, persistent access as a local user service. The domains used in the first stage of the scam attempted to impersonate well-known companies and brands, and once the hackers had connected to a victim's system, they changed bank account summaries to make it look like the victim had been refunded too much money. 

Both ConnectWise Control (formerly ScreenConnect) and AnyDesk have been used in previous cyber attacks, so it is no surprise they were used in this campaign. RMM software typically does not trigger antivirus or antimalware defenses, making it an ideal tool for cybercriminals. 

This highlights the continuing need for organisations to invest in timely and appropriate security awareness training so that they are better equipped to identify and report any suspicious phishing emails or other social engineering attacks. 

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews