The latest evolution in the cybersecurity threat landscape is the rise in attacks aimed at virtual event attendees. Microsoft recently reported that an Iranian-linked group successfully compromised 100 attendees of two global conferences hosting international leaders, ambassadors and senior policy experts. And the threat is close to home; one of the targeted events was the Think 20 (T20) Summit in Saudi Arabia.
In a post describing the attacks, Tom Burt, Microsoft’s corporate vice president for customer security and trust, said the attackers had been sending possible attendees spoofed invitations, which if clicked on, would take them to one of several known credential harvesting websites.
The attacks against both the T20 Summit and Munich Security Conference were a blend of old school phishing attacks with advanced spear phishing to compromise an individual, notes Morey Haber, CTO and CISO of software company BeyondTrust. By making each attack customised to that attendee, the attackers were able to bypass basic scrutiny, and by guiding users to open a non-malicious PDF, they were able to bypass antivirus systems.
Virtual events are easy targets
The move to remote work and virtual meetings is changing the threat landscape in the Middle East. The rapid adoption of virtual events since the start of the pandemic, coupled with communications and conferencing tools designed for ease of use rather than access controls, make these events an easy target for bad actors. While GITEX — the biggest tech conference in the Middle East — was held as a physical event last month, there are innumerable virtual conferences and meetings being held in the region.
Some of these virtual gatherings are small, even intracompany, events, as people continue to work from home and restrict their travel. These events often require email or some sort of online confirmation, opening up more possibilities for phishing email. As well as spoofing invites prior to an event, hackers may also infiltrate events as fellow attendees and potential new contacts.
“The general security holes and risks are the same as other online services,” says Sam Curry, CSO at cybersecurity firm Cybereason. “But the problems arise from how new some of the code is; it’s not had a chance to bake in and build some protection. This is made more complicated by expanding functionality rapidly to try to get the full in-person experience. There are multiple channels of interaction — event organisers are trying to bring sight, sound and connection to their shows and that introduced a wider attack surface for hackers.”
Enterprises need to educate staff
To ensure the security of a company’s data, staff training around the risks from virtual events should be high on agendas. When we attend a conference — whether physically or virtually — we expect to engage with new people, before, during and after. However, staff need to understand that this is an easier time to be tricked and to increase their awareness, says Mike Lloyd, CTO of cybersecurity firm RedSeal.
“We go to conferences expecting to make new contacts, but have you checked who the contact really is? Do you have an independent introduction or a way to confirm they are who they claim?” Lloyd says. “We need to teach people scepticism, and to be more aware, as it’s a great place to sneak in an attack where you need your victim to trust an unexpected email attachment or contact request.”
BeyondTrust’s Haber recommends businesses add information on virtual event security into their regular cybersecurity programmes. He notes however, that if these sessions only occur once a year; “it may be imperative to have a quick refresher based on this new attack vector to educate employees; especially newly established remote workers”.
How to ensure the security of a virtual event
Most conferencing software have features that could aid in social engineering attendees, and depending on the setup there may be IT vulnerabilities that give bad actors unauthorised access to panels or meetings. However, there are some basic security safeguards that can go a long way to reduce potential harm.
Gabe Goldhirsh, vice president of MEA and APAC sales at IT security company ZeroFOX, recommends protecting personally identifiable information (PII) by not distributing attendee lists and making sure events themselves have passwords and lobbies enabled.
“Don’t advertise login links publicly and never send event links in an email,” he said. “Instead have a dedicated page on the event website to prevent phishing leveraging the event login itself. Also provide clear expectations around what and how information will be collected from participants,” he adds.
In the end it’s our response to these risks that will decide whether this trend is here to stay. It all depend on whether attacks on virtual events, and more specifically their attendees , produce results. By reducing the yield for attackers, they’re more likely to move onto a more attractive target.
Experts share tips for virtual-event security
Industry experts share their top tips on ensuring the security of virtual events and their hosts.
Tips for attendees
- Verify the source of all emails, especially the authenticity of the source domain for a virtual event.
- Don’t click on any embedded links or documents hosted in the virtual event.
- Verify the URL destination of any shortened URLs displayed during the event or in a follow up email.
- Never provide your corporate credentials to join a third-party virtual event.
- Enable multifactor authentication across both your business and personal email accounts.
Tips for hosts
- Don’t display attendees’ full names or companies.
- Restrict any attachments or URL postings in chat and Q&A windows to specific individuals.
- Inform attendees that all correspondence for the event will only come from named trusted email addresses to avoid third-party phishing attacks.
- Make sure events have passwords and lobbies enabled.
- Don’t advertise login links publicly and never send event links in an email. Instead have a dedicated page on the event website to prevent phishing leveraging the event login itself.
- Provide clear expectations around what and how information will be collected from participants.