Multi-channel communication attacks, or simply multi-channel attacks, are a common tactic amongst threat actors and cybercriminals. If you have ever responded to a bad actor (knowingly or unknowingly), a frequent follow-up that you may get from them is a request to move the conversation to a different communication channel. This is normally done under the pretext of security or privacy of the communication and is commonly used in romance schemes or attacks that weaponize fake job opportunity scams.
This tactic accomplishes two major things for the threat actor:
- First, it generates commitment from the victim in continuing the conversation.
Criminals operate in a business model where they look for the greatest return on the effort that they put into each attack. While the first email response may indicate some level of commitment from the target to the scam messaging, moving to a second communication channel indicates that the target will likely listen to the entire message and has a higher probability of becoming a victim. Therefore, an attacker can better understand who they invest effort into with further social engineering based on if the target is willing to move to a secondary communication application.
- Second, moving to a second channel allows the actor to bypass most native security controls.
Most multi-channel communication attacks start on email, as that is the easiest method to contact massive lists of targets, but most email solutions nowadays have some controls built-in, such as spam filters, malicious file detections, and link analysis. Moving the conversation to a messaging app like Telegram, Slack, or WhatsApp, multi-channel communication allows for the actor to leverage environments that have little to no native security protocols in place or controls that feed information to centralized security teams. This move allows the actor to use more common social engineering language, and distribute malicious links or files with less of a chance of getting detected by the messaging platform.
Multi-channel attacks are a nightmare for defenders, as they generally have limited visibility and analysis capabilities in these multi-channel communications. While email attack detection solutions have been around for years and are quite sophisticated, very few of these solutions cover multi-channel platforms.
Even if the defenders are archiving messages in a messaging application like Slack, and importing the events into a SIEM, they would have to build out their own analysis, detection, and alerting functions on their own - and then do that again for any other messaging applications that the company uses. This coordination is a logistical nightmare at best. The reality is that security teams today do not have the resources to build out this capability from scratch.
To that end, SafeGuard Cyber has been building and improving upon its multi-channel communication detection capabilities over the past several years. SafeGuard Cyber solutions can now ingest thousands of messages from various platforms, such as:
- Email solutions like Microsoft 365
- Collaboration platforms like Teams and Slack, and;
- Messaging applications like WhatsApp and Telegram
We can provide uniform detection and analysis upon all the messages collected and provide alerts and a single pane of glass for visualizing events in all of these channels (or exported with our API to another solution). This allows defenders to identify and investigate multi-channel communication attacks in one solution.
To demonstrate the capability, we connected some Email and Telegram accounts to SafeGuard Cyber and simulated a basic multi-channel phishing attack across the applications.
Examples and Patterns of Multi-Channel Communication Attacks
For our sample attack, we decided to run a typical fake job scam. We would start on Email, move the conversation to Telegram, and then attempt to deliver a piece of malware to the victim. Click through the interactive multi-channel attack demonstration below to see what these messages looked like and how this information appears in the SafeGuard Cyber platform.
Multi-Channel Attacks vs SafeGuard Cyber Platform
Since the attack leveraged multi-channel communications and moved from one application to another, it would be more difficult for a defender to identify and respond to. Effectively, our platform is designed to help defenders quickly and easily correlate multi-channel communication attacks within a single solution.
Organizations around the world have now relied on various communication and collaboration tools to ensure business continuity. This multi-channel communication setup should be heavily guarded and secured, lest companies run the risk of social engineering and system infiltration. As we’ve demonstrated above, the SafeGuard Cyber platform is more than capable of protecting your systems, your data, and your business.
If you are interested in learning more about the SafeGuard Cyber solution, schedule time for a deeper dive our engineers.