How Hackers Are Turning Tech Support Into a Threat — WSJ

By Robert McMillanHackers in recent months have disrupted retail sales in the U.K. and U.S. and stolen hundreds of millions of dollars from crypto holders by targeting the outsourced call centers that many American corporations use to save costs.The hacks are often meticulously researched and use a variety of techniques, but they have one thing in common: low-level workers who staff call centers and have access to the kind of sensitive information that criminals need to commit crimes.The focus on outside call centers has allowed attackers to trick workers to get around so-called two-factor account authentication techniques that send codes by text to mobile phones. Those methods are commonly used to protect millions of bank and credit-card accounts, as well as a host of other online portals.Retail attacksIn attacks on U.K. retailers including Marks & Spencer and Harrods, the hackers typically impersonated high-level corporate executives and pressured tech-support workers to give them access to corporate networks, according to security researchers. This is the same technique that allowed hackers to gain access to MGM Resorts systems in 2023.At the cryptocurrency company Coinbase Global, they simply paid off call-center workers in India, Coinbase said. The attack might cost the company as much as $400 million because it has pledged to reimburse customers who have lost millions in the scam. The hackers stole data belonging to as many as 97,000 Coinbase customers, the company estimates."You're working with a low-paid labor market," said Isaac Schloss, chief product officer at Contact Center Compliance, a company that advises call-center users and customers. "These people are in a position of poverty more often than not. So if the right opportunity comes for the right person, people are willing to look the other way."Josh Cooper-Duckett, director of investigations at Cryptoforensic Investigators, said he began hearing last fall from victims who had typically lost more than a million dollars to hackers. In almost every instance, it was the same scam, said Cooper-Duckett, who helps victims of cryptocurrency theft recover their losses.The criminals would buy information that they could use to call up their victims and masquerade as legitimate Coinbase workers, Cooper-Duckett said.They would know their victim's personal information, their account balance, the last four digits of their bank accounts, and sometimes would have a list of recent transactions. Armed with this data, they would persuade them to create new cryptocurrency wallets with encryption keys known to the hacker or log into phishing sites and quickly steal their cryptocurrency.Coinbase hackers"Every other day a new case would come in, and it would be, 'I got called by Coinbase, and I lost all my money because it wasn't Coinbase,' " Cooper-Duckett said.The Coinbase hackers bribed customer-support agents working for TaskUs and other support-desk companies. Such call-center employees typically have access to sensitive customer information that allows them to confirm the identity of callers, Coinbase said.The criminals would cast a wide net, reaching out to insiders through social media or chat accounts such as Telegram with offers of $2,500 for help from insiders, Coinbase said.In some countries, workers don't face legal consequences for involvement in cyber breaches, said Philip Martin, Coinbase's chief security officer. "We've seen relatively limited consequences, in those regions, for perpetrators," he said. Even when workers are fired from such outsourcing jobs, "It's a relatively straightforward thing for them to go get a new one," he added.Computers at outsourced companies have controls to prevent employees from stealing data, Coinbase said. It is typically impossible for an employee to plug a USB thumb drive into a computer or take a computer home from work. So the hackers started by offering workers cash payments for screenshots of their computers and the customer information they contained. These payments could amount to thousands of dollars, the company said.Malicious softwareIn other instances, the hackers used malicious software, sneaking data-scraping code into computers. That allowed them to collect data in bulk and store it.The first step to pulling off such a scam was asking their call-center insiders to describe all of the software running on their computers. Soon, the hackers discovered that workers were running an extension in their Chrome browsers — extra software added to the browser that prevented web ads.The extension had a bug in it, and that vulnerability allowed the criminals to sneak their own code into call-center computers. Now they could collect data in bulk and store it on the internet.TaskUs said it stopped taking Coinbase calls at the Indore, India, call center where the employees were being bribed, laying off 226 workers. It also fired two workers who were engaged in fraud earlier this year. Coinbase said that its own employees, as well as those at other outsourcing companies they work with, were recruited but declined to name them.Companies have spent billions of dollars trying to reduce cyber threats, but hackers continue to find new ways to exploit human vulnerabilities."Consistently, the human interaction has proven to be a weak link," said Michael McPherson, a senior vice president with the cybersecurity company ReliaQuest.Write to Robert McMillan at [email protected]