Splunk's New Guide Uncovers Methods to Spot Deceptive Telecommuting Scams Inside Your Business
In the digital age, the threat of cybercrime continues to evolve, and one such emerging challenge is Remote Employment Fraud (REF). Organisations worldwide are prioritising the detection of REF in their digital onboarding processes.
Splunk, a leading platform for observability and security, has been at the forefront of this battle. By integrating various data sources, Splunk analysts have been able to identify and combat REF effectively.
One of the key strategies involves correlating applicant tracking system (ATS) data with IT asset logs in Splunk. This integration allows security teams to spot discrepancies, such as corporate assets being shipped to addresses that often diverge from the purported locations of new hires.
Threat actors often employ deceptive tactics to justify these mismatches, invoking urgent personal circumstances. However, these requests for alternate locations serve as red flags, signalling potential REF cases.
Splunk analysts have also noted that REF actors frequently use nonstandard VPN services to obfuscate their true IP addresses and geolocations. By automating the detection of these nonstandard VPN services, Splunk can immediately surface potential REF cases.
To enhance visibility further, Splunk integrates these detections into a Risk-Based Alerting (RBA) framework. This approach enables prioritised incident response workflows that minimise false positives and drive efficient mitigation.
By creating baselines in Identity Provider (IdP) logs, security teams can detect anomalous VPN sessions and enforce network zones that block unauthorised anonymizer services. Splunk Enterprise Security's Authentication Data Model can calculate approximate travel speed between login events, providing valuable insights into suspicious activities.
In the initial stages of REF, threat actors meticulously craft resumes, pass background checks, and schedule interviews that appear indistinguishable from genuine candidates. However, inconsistencies between expected corporate VPN endpoints and unusual third-party VPN providers serve as strong indicators of fraud.
Moreover, login attempts from geographically distant locations within implausible timeframes are a concern. By correlating asset management logs with ATS data, organisations can reveal discrepancies that point to fraudulent activity.
Splunk analysts identified the first wave of REF anomalies by matching ServiceNow shipment records against Workday employee profiles. Once the device arrives, embedded persistence tactics ensure ongoing connectivity, underscoring the need for continuous monitoring.
This approach enables organisations to stay one step ahead of REF actors, who exploit gaps between human resources workflows and security monitoring, allowing malicious insiders to gain persistent access and exfiltrate data.
In conclusion, Splunk's innovative strategies in combating REF provide a robust solution for organisations seeking to secure their digital onboarding processes. By leveraging the power of data correlation, automation, and intelligent alerting, Splunk is leading the charge in the fight against cybercrime.
