A masquerade attack is an online attack in which the attacker masquerades as a legitimate user to gain access to a device. Whether that happens through stolen credentials (typically via a phishing scheme), by exploiting software bugs, or by side-stepping the authorization process itself doesn’t make a difference – they all come down to a masquerade attack. In that regard, a pass the hash attack, in which the attacker penetrates one device and uses the password hashes stored on that device to laterally move up the permissions chain, stealing more hashes and repeating the process as needed, can be considered a masquerade attack. A macro virus attack crafted to steal credentials could also qualify as a masquerade attack.
Someone inside or outside your organization can perpetrate masquerade attacks. An outsider can mount a masquerade attack as long as your organization is connected to the public internet, and the overwhelming majority are.
The amount of damage that masquerade attacks can create depends on the permissions level of the attacker’s authorization. If they get their hands on the System Administrator credentials, they could potentially take control of your organization’s entire infrastructure.
How do masquerade attacks work?
Because of its very nature, a masquerade attack can mean many things; attack flows come in many shapes and sizes. Below is a possible and probably quite common scenario.
- The attacker sends phishing emails or SMS to various members of an organization. The email could contain, for example, what looks like a link to the organization’s IT portal, asking the employees to log in and confirm a recent change. However, the website to which the link actually leads is a spoofed site controlled by the attacker. Alternatively, the compromised credentials could be obtained by exploiting a software bug, or the attacker could find a vulnerability enabling them to bypass the authentication mechanism altogether. In our example, we’ll stick with phishing, as it’s the most common way to attempt a masquerade attack.
- Once the attacker has the victim’s credentials, they can log into the network as that user. If the stolen credentials are those of the network admin, the attacker is now in possession of the “golden key” and could do all sorts of damage – even a complete takeover of the network. In that case, the attack is successful and ends here. If, however, the compromised credentials do not give the attacker sufficient permissions to get to their desired payload, they may decide to attempt a pass the hash attack to gain further permissions.
- The attacker scrapes the compromised machine (for which the attacker already has the credentials) for any stored password hashes, which can be used to create a new legitimate session as that user without the need for the plain text credentials.
- The attacker then uses the stolen hashes to move laterally from account to account and device to device, scraping the hashes on each machine in the hopes of finding hashes that have high enough permissions to get them to their payload.
- With a bit of luck, the attacker eventually finds the System Administrator’s password hashes (or another high permissions account) and can get to their payload, which takes us back to step 2.
Risks of masquerade attacks
The risks tied to masquerade attacks can be almost anything. That’s because the potential damage that a masquerade attack can cause depends on the permissions level of the compromised credentials (or those granted by the exploited software vulnerability). Hence, it isn’t easy to produce a detailed or complete list of consequences. It could be anything from data loss to complete network takeover and everything in between.
Common risks associated with masquerade attacks include:
- Data breaches
- Your organization’s sensitive/proprietary information is leaked online
- Ransomware attacks
- Identity theft
- Critical system files are modified
- The network is taken offline
- Users are locked out of their accounts
- Internet traffic is rerouted to malicious sites
- The download and installation of malware
Remember, this list is by no means exhaustive, nor is it exclusive to masquerade attacks.
Real-world examples of masquerade attacks
In 2019 a large phishing campaign was mounted that impersonated the United States’ tax authority, the Internal Revenue Service (IRS). The attackers targeted accounting firms and attempted to pass themselves off as the IRS by sending requested financial documents back to the tax firm.
The documents in question contained malicious macros that, when executed, would trigger the download of a Remote Access Trojan (RAT), which would funnel all of the tax information and documents stored on the victim’s computer to the attacker.
Target was targeted
In 2013, the Target corporation fell victim to a data breach that affected over 40 million Target customers. Over 70 million records were compromised as a result of this attack.
Interestingly, in this case, attackers first compromised an employee’s credentials of Target’s Heating, Ventilation, and Air Conditioning (HVAC) contractor, Fazio Mechanical Services. They then used those credentials to log into the Target-hosted web services portal dedicated to its vendors and partners, such as Fazio Mechanical Services. From there, the attackers mounted a pass the hash attack to move up the permissions chain and were able to recover the hashes of the Active Directory administrator. They used those permissions to create a new domain administrator account and add the new account to the Domain Admins group. From there, they were able to steal the payment information of over 40 million Target customers.
How to defend against masquerade attacks
As is often the case, the way to defend against masquerade attacks depends on whether you’re an administrator or a user. We’ll provide tips for both. Just bear in mind that for an organization to be well-protected, both the users and the administrators must apply mitigation measures while keeping masquerade attacks in mind. Also, because of the nature of a masquerade attack, the symptoms it exhibits are rather far-reaching and could apply to other types of attacks. But whether you’re hit with a masquerade attack or a different kind of attack, you still want to detect and defend against it, so following the below advice will help in either case.
For network administrators
Monitor your networks
If you’re going to detect masquerade attacks, you’re going to need to be on the lookout for suspicious behavior over your network. In the context of masquerade attacks, that means:
- Monitoring file hashes – If the names of some of your files don’t match with their hashes, those files may have been tampered with and that could be a sign of a masquerade attack.
- Monitoring file locations – If you have files that are properly named but that are stored in the wrong location, it may also be a sign of tampering through a masquerade attack.
- Monitoring logins and network locations – You also want to monitor your user logins. Are any occurring at unusual times? Are any unusual network locations being accessed? These could be signs of a masquerade attack.
Consider using an AI-based Intrusion Detection System (IDS)
The above examples are all related to suspicious patterns of behavior. But it can be difficult for traditional IT defenses to identify what consists in suspicious behavior. After all, if the credentials allow the user to access specific files or locations, how could the security software recognize such a login as suspicious? However, we have tech available today to efficiently scan for and detect such events. AI-powered tech has made great strides recently across many industries. One of those industries is IT security. With an AI-based IDS, you can “teach” it, via machine learning, what constitutes “normal” behavior over your network. With a bit of training, it will soon be able to detect outlier behavior happening over your network.
Implement digital code-signing
Digital signing will prevent unauthorized software from being executed unless it is signed by a trusted entity. That can limit the damage done by a successful masquerade attack.
Limit user permissions as much as possible
You should implement the principle of least privileges and assign each user in your organization with the least amount of permissions required for them to do their work and nothing more. This will again help limit the damage done by a successful masquerade attack.
Set up Two-factor authentication (2FA) on all accounts that support it
2FA is a great way to make it more difficult for malicious actors to abuse your credentials, and it may discourage many of them.
Implement strong password requirements in your organization
Make sure to set up strong password requirements for the users on your network. Users should not be allowed to use weak passwords. Strong passwords are your first line of defense – make sure it’s as strong as can be.
Provide security awareness training
Awareness will always be your ally. Hence, security training for your staff will not only help you mitigate masquerade attacks, but many other types of attacks as well. Such training fosters more secure habits within your organization and will limit many of the risks you face every day. On top of that, your staff will be better prepared to deal with security events.
These are primarily common-sense tips that can help you avoid various online threats. However, the first four points are directly related to mitigating masquerade attacks.
- Log out and reboot your computer – When you’re done using your computer, log out of your session and reboot the machine. That will clear memory that could be used to compromise your machine.
- Don’t open attachments in emails without knowing who the sender is and confirming that they actually did send you the email in question. Also, confirm with them that the email contains an attachment and that they know what the attachment is.
- Don’t click links (URLs) in emails unless you know who sent you the link, its destination, and the sender not being impersonated. Even then, you should scrutinize the link. Is it an HTTP or an HTTPS link? Most of the legitimate internet uses HTTPS today. And of course, check the link for incorrect spelling (faceboook instead of facebook or goggle instead of google)? If you can get to the destination without using the link, do that instead.
- Use strong and complex passwords – It may be an obvious one, but this will be your first line of defense in any credential-based attack.
- Use an antivirus program – And only buy well-reviewed and genuine antivirus software from legitimate vendors. Keep your antivirus updated and regularly perform frequent scans.
- Keep your operating system updated – The latest OS updates contain the latest security patches. Make sure they’re installed as soon as they’re available.
- Use a firewall – All major operating systems have a built-in incoming firewall, and all commercial routers on the market provide a built-in NAT firewall. Make sure these are enabled. They may well protect your system if you click a malicious link.
- Never click on pop-ups. Ever. You never know where they’ll take you.
- Don’t give in to “warning fatigue” if your browser displays a warning about a website you are trying to access. You should take your browser’s warning seriously and get your information elsewhere. If you clicked a link that was sent to you by email or SMS, it might be sending you to a malicious site to retrieve an infected file. Don’t disregard your computer’s warning prompts.
So those are the ins and outs of masquerade attacks. Like other online attacks, they can be challenging to detect because their main symptoms could be indicative of many different things. Hopefully, the measures detailed above will help you to avoid them altogether. But at the very least, they’ll help you to recover faster if you implement them.