{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/remote-employment-fraud/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Zoom"],"_cs_severities":["medium"],"_cs_tags":["remote-employment-fraud","zoom","identity"],"_cs_type":"advisory","_cs_vendors":["Zoom"],"content_html":"\u003cp\u003eThis detection focuses on identifying Zoom users exhibiting unusually high video latency, which can be an indicator of Remote Employment Fraud (REF). Threat actors engaged in REF often operate from locations with suboptimal network infrastructure or utilize network manipulation techniques that result in elevated latency. The detection analyzes Zoom logs to identify users whose video streams exhibit an average latency exceeding 300ms, a threshold that, while potentially indicative of a simple network issue, when combined with other indicators, may suggest fraudulent activity. The detection leverages Zoom logs ingested using Splunk Connect for Zoom. Initial version was released on 2026-04-15.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains unauthorized access to a legitimate employee's Zoom account or creates a fraudulent account.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a Zoom meeting or joins an existing meeting.\u003c/li\u003e\n\u003cli\u003eDuring the meeting, the attacker may be using a compromised or remote machine with a high-latency network connection.\u003c/li\u003e\n\u003cli\u003eZoom logs record the high video latency associated with the attacker's account, specifically in the \u003ccode\u003epayload.object.participant.qos{}.details.avg_latency\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eThe Splunk detection identifies the high latency event, flagging the associated email address.\u003c/li\u003e\n\u003cli\u003eAnalysts investigate the flagged user, correlating the high latency with other suspicious activities.\u003c/li\u003e\n\u003cli\u003eRisk scoring increases for the user account based on high video latency.\u003c/li\u003e\n\u003cli\u003eIf REF is confirmed, the compromised account is terminated, and access is revoked.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful REF can lead to financial losses, data breaches, and reputational damage for organizations. Although high latency alone is not definitive evidence of REF, it serves as a valuable indicator when correlated with other suspicious activities. This detection helps security teams identify potentially compromised accounts and prevent further fraudulent activities. The number of potential victims is dependent on the number of compromised accounts within the organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Zoom High Video Latency\u003c/code\u003e to your SIEM to identify potentially fraudulent accounts based on high video latency.\u003c/li\u003e\n\u003cli\u003eEnable Zoom logging and ingest logs using Splunk Connect for Zoom (\u003ca href=\"https://splunkbase.splunk.com/app/4961\"\u003ehttps://splunkbase.splunk.com/app/4961\u003c/a\u003e) to ensure the availability of necessary data for this detection.\u003c/li\u003e\n\u003cli\u003eTune the latency threshold in the Sigma rule (\u003ccode\u003eoverall_latency\u0026gt;300\u003c/code\u003e) to align with your environment baseline and reduce false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this detection and correlate them with other security events to identify potential Remote Employment Fraud.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:30:00Z","date_published":"2024-01-03T15:30:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-zoom-high-video-latency/","summary":"This analytic identifies Zoom users exhibiting high video latency, a potential indicator of Remote Employment Fraud (REF), by analyzing Zoom logs for average and overall latency and highlighting users with latency exceeding 300ms.","title":"Zoom High Video Latency Potentially Indicating Remote Employment Fraud","url":"https://feed.craftedsignal.io/briefs/2024-01-03-zoom-high-video-latency/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Workday","Slack","GlobalProtect","Jira","Atlassian Cloud","Zoom","Okta"],"_cs_severities":["high"],"_cs_tags":["remote-employment-fraud","credential-compromise","okta"],"_cs_type":"advisory","_cs_vendors":["Workday","Slack","Palo Alto Networks","Atlassian","Zoom","Okta"],"content_html":"\u003cp\u003eThis detection identifies \u0026quot;improbable travel\u0026quot; scenarios where a user logs in from two geographically distant locations within a short timeframe, suggesting potential Remote Employment Fraud (REF) or compromised credentials. The analysis focuses on login events for critical applications like Workday, Slack, GlobalProtect, Jira, Atlassian Cloud, and Zoom, using Okta logs as a primary data source. This technique is relevant because REF actors and credential thieves often operate from different locations than the legitimate user, and time zone/geographic inconsistencies can expose fraudulent activity. The detection considers factors like user's work country, travel speed, and distance between login locations to assess the risk. This helps defenders identify suspicious logins that bypass traditional security measures.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser credentials compromised via phishing or other methods (not directly observed in this detection, but a common precursor).\u003c/li\u003e\n\u003cli\u003eAttacker establishes initial access from Location A, authenticating to a target application (e.g., Workday) via Okta.\u003c/li\u003e\n\u003cli\u003eA short time later (minutes to hours), the attacker attempts to access the same or a different application from Location B, potentially on the other side of the world.\u003c/li\u003e\n\u003cli\u003eThe detection analyzes Okta logs and correlates login events based on the user ID, source IP, and timestamp.\u003c/li\u003e\n\u003cli\u003eGeolocation data (latitude, longitude) is obtained for both login locations based on the source IP addresses.\u003c/li\u003e\n\u003cli\u003eThe distance and travel speed between the two locations are calculated.\u003c/li\u003e\n\u003cli\u003eIf the calculated speed exceeds a defined threshold (e.g., 500 km/h) and distance exceeds a defined threshold (e.g., 750 km), the activity is flagged as suspicious.\u003c/li\u003e\n\u003cli\u003eThe user's work country is compared to the login locations to further assess the risk. If the login locations do not match the user's expected work location, the risk score is increased.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this technique can lead to unauthorized access to sensitive corporate resources, data exfiltration, and financial fraud. Compromised accounts used for Remote Employment Fraud can result in financial losses and reputational damage. While the exact number of victims and sectors targeted are not explicitly mentioned in the source, this type of attack can affect organizations of any size in any sector. A successful attack can result in significant financial losses and legal liabilities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eGeographic Improbable Location\u003c/code\u003e to your SIEM, ensuring it is tuned to account for legitimate VPN usage and remote work scenarios.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003eGeographic Improbable Location\u003c/code\u003e rule, focusing on users with high-value accounts and access to sensitive data.\u003c/li\u003e\n\u003cli\u003eUtilize the \u003ccode\u003eknown_devices_public_ip_filter.csv\u003c/code\u003e lookup table (mentioned in the \u0026quot;how_to_implement\u0026quot; section) to exclude known and trusted devices from the detection logic.\u003c/li\u003e\n\u003cli\u003eMonitor Okta logs for failed login attempts preceding improbable travel events to identify potential credential compromise attempts.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all users to reduce the risk of credential compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-geographic-improbable-location/","summary":"Detection of user logins originating from geographically distant locations within a short timeframe, indicative of potential Remote Employment Fraud or compromised credentials.","title":"Geographic Improbable Location Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-03-geographic-improbable-location/"}],"language":"en","title":"CraftedSignal Threat Feed - Remote-Employment-Fraud","version":"https://jsonfeed.org/version/1.1"}