<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Remote-Employment-Fraud - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/remote-employment-fraud/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 15:30:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/remote-employment-fraud/feed.xml" rel="self" type="application/rss+xml"/><item><title>Zoom High Video Latency Potentially Indicating Remote Employment Fraud</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-zoom-high-video-latency/</link><pubDate>Wed, 03 Jan 2024 15:30:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-zoom-high-video-latency/</guid><description>This analytic identifies Zoom users exhibiting high video latency, a potential indicator of Remote Employment Fraud (REF), by analyzing Zoom logs for average and overall latency and highlighting users with latency exceeding 300ms.</description><content:encoded><![CDATA[<p>This detection focuses on identifying Zoom users exhibiting unusually high video latency, which can be an indicator of Remote Employment Fraud (REF). Threat actors engaged in REF often operate from locations with suboptimal network infrastructure or utilize network manipulation techniques that result in elevated latency. The detection analyzes Zoom logs to identify users whose video streams exhibit an average latency exceeding 300ms, a threshold that, while potentially indicative of a simple network issue, when combined with other indicators, may suggest fraudulent activity. The detection leverages Zoom logs ingested using Splunk Connect for Zoom. Initial version was released on 2026-04-15.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker gains unauthorized access to a legitimate employee's Zoom account or creates a fraudulent account.</li>
<li>The attacker initiates a Zoom meeting or joins an existing meeting.</li>
<li>During the meeting, the attacker may be using a compromised or remote machine with a high-latency network connection.</li>
<li>Zoom logs record the high video latency associated with the attacker's account, specifically in the <code>payload.object.participant.qos{}.details.avg_latency</code> field.</li>
<li>The Splunk detection identifies the high latency event, flagging the associated email address.</li>
<li>Analysts investigate the flagged user, correlating the high latency with other suspicious activities.</li>
<li>Risk scoring increases for the user account based on high video latency.</li>
<li>If REF is confirmed, the compromised account is terminated, and access is revoked.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful REF can lead to financial losses, data breaches, and reputational damage for organizations. Although high latency alone is not definitive evidence of REF, it serves as a valuable indicator when correlated with other suspicious activities. This detection helps security teams identify potentially compromised accounts and prevent further fraudulent activities. The number of potential victims is dependent on the number of compromised accounts within the organization.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Detect Zoom High Video Latency</code> to your SIEM to identify potentially fraudulent accounts based on high video latency.</li>
<li>Enable Zoom logging and ingest logs using Splunk Connect for Zoom (<a href="https://splunkbase.splunk.com/app/4961">https://splunkbase.splunk.com/app/4961</a>) to ensure the availability of necessary data for this detection.</li>
<li>Tune the latency threshold in the Sigma rule (<code>overall_latency&gt;300</code>) to align with your environment baseline and reduce false positives.</li>
<li>Investigate any alerts generated by this detection and correlate them with other security events to identify potential Remote Employment Fraud.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>remote-employment-fraud</category><category>zoom</category><category>identity</category></item><item><title>Geographic Improbable Location Detection</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-geographic-improbable-location/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-geographic-improbable-location/</guid><description>Detection of user logins originating from geographically distant locations within a short timeframe, indicative of potential Remote Employment Fraud or compromised credentials.</description><content:encoded><![CDATA[<p>This detection identifies &quot;improbable travel&quot; scenarios where a user logs in from two geographically distant locations within a short timeframe, suggesting potential Remote Employment Fraud (REF) or compromised credentials. The analysis focuses on login events for critical applications like Workday, Slack, GlobalProtect, Jira, Atlassian Cloud, and Zoom, using Okta logs as a primary data source. This technique is relevant because REF actors and credential thieves often operate from different locations than the legitimate user, and time zone/geographic inconsistencies can expose fraudulent activity. The detection considers factors like user's work country, travel speed, and distance between login locations to assess the risk. This helps defenders identify suspicious logins that bypass traditional security measures.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>User credentials compromised via phishing or other methods (not directly observed in this detection, but a common precursor).</li>
<li>Attacker establishes initial access from Location A, authenticating to a target application (e.g., Workday) via Okta.</li>
<li>A short time later (minutes to hours), the attacker attempts to access the same or a different application from Location B, potentially on the other side of the world.</li>
<li>The detection analyzes Okta logs and correlates login events based on the user ID, source IP, and timestamp.</li>
<li>Geolocation data (latitude, longitude) is obtained for both login locations based on the source IP addresses.</li>
<li>The distance and travel speed between the two locations are calculated.</li>
<li>If the calculated speed exceeds a defined threshold (e.g., 500 km/h) and distance exceeds a defined threshold (e.g., 750 km), the activity is flagged as suspicious.</li>
<li>The user's work country is compared to the login locations to further assess the risk. If the login locations do not match the user's expected work location, the risk score is increased.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this technique can lead to unauthorized access to sensitive corporate resources, data exfiltration, and financial fraud. Compromised accounts used for Remote Employment Fraud can result in financial losses and reputational damage. While the exact number of victims and sectors targeted are not explicitly mentioned in the source, this type of attack can affect organizations of any size in any sector. A successful attack can result in significant financial losses and legal liabilities.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Geographic Improbable Location</code> to your SIEM, ensuring it is tuned to account for legitimate VPN usage and remote work scenarios.</li>
<li>Investigate any alerts generated by the <code>Geographic Improbable Location</code> rule, focusing on users with high-value accounts and access to sensitive data.</li>
<li>Utilize the <code>known_devices_public_ip_filter.csv</code> lookup table (mentioned in the &quot;how_to_implement&quot; section) to exclude known and trusted devices from the detection logic.</li>
<li>Monitor Okta logs for failed login attempts preceding improbable travel events to identify potential credential compromise attempts.</li>
<li>Implement multi-factor authentication (MFA) for all users to reduce the risk of credential compromise.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>remote-employment-fraud</category><category>credential-compromise</category><category>okta</category></item></channel></rss>