When Instant Messaging Goes Rogue: Safeguarding Your Corporate Communication Channels

By Alex Vakulov

Six million dollars for two errors in the code. This is the amount that the Israeli company Aurora Labs paid to white hackers - cyber security specialists who test the reliability of IT systems. Thanks to the white hats, the company discovered critical bugs in the infrastructure that threatened its customers with financial losses and the company with reputational ruin.

Cyber-attacks have become more sophisticated, complex, and unpredictable. The global average data breach cost was $4.35 million in 2022. Reports indicate that the figures in the United States are even worse, averaging $9.44 million. 66% of malware was found to have utilized zero-day exploits. These numbers fully explain the boom in bug bounty platforms - where businesses invite third-party experts to identify and test software vulnerabilities.

Code scanners and secure development procedures are very important, but today they are becoming insufficient when it comes to finding critical vulnerabilities. Social engineering, malware, and spyware (like the infamous Pegasus) are among the most prevalent attack vectors targeting corporate devices. And instant messaging platforms provide the simplest and most convenient means to do it.

This article will explore methods for safeguarding corporate communication channels against accidental or intentional data leaks.

Targets and methods of corporate instant messenger attacks

Messengers and email services are convenient and user-friendly communication tools well-known to everyone. They are often trusted and considered reliable spaces for exchanging information. People receive dozens or even hundreds of messages a day. They often quickly skim the text with their eyes and do not think or delve into the essence. This is why cybercriminals frequently use email and instant messaging to execute social engineering tricks for penetrating a company's infrastructure. Phishing messages containing malicious links and tempting invitations to divulge confidential data often result in the exposure of sensitive business information.

The transition to remote work mode due to COVID-19 brought about significant changes in the social and corporate landscape, resulting in the emergence of new attacks. Cybercriminals use various OSINT resources and people search services to gather personal information about their targets. This helps them to create more targeted spear-phishing attacks tailored to the target's specific interests and characteristics.

Dual-purpose apps

While messaging apps may not pose an inherent threat, they can become a "weak link" if suspicious software is installed on a user's device. For instance, sensitive data may be at risk if a program with access to the user's phone book or data storage is installed on a device where work files, contacts, and correspondence are stored.

A good example is GetContact, which was installed on the phones of millions of users, resulting in their data being freely leaked on the internet. In some cases, confidential data that should only be transferred through a secure tunnel may fall into the hands of attackers even before it is sent while still in an unencrypted form on an employee's device.

The popularity of VPN services is on the rise. People install free apps on their phones and actively use them to gain access to blocked social networks and streaming services or other resources. However, most free programs can be considered a security risk. According to security experts, many free VPNs sell user data to third parties, and nearly 20% fail to hide the user's IP address.

Using unknown VPN services can be both ineffective and hazardous. Many of these applications fail to perform their intended function of anonymizing data, getting traffic with valuable metadata and authentication information redirected to unknown servers. This data could fall into the hands of cybercriminals. Furthermore, relying on a VPN to protect oneself while connecting to public Wi-Fi networks can be a false sense of security if the application fails to perform its anonymization function. Cybercriminals can monitor public Wi-Fi hotspots, and sensitive user data may be compromised.

Zero-day attacks

A zero-day vulnerability is a programming flaw that attackers discover before developers become aware of it. Although this threat may not appear directly linked to communication apps, attackers employ social engineering tactics to find and exploit it. Cybercrooks often target users through IMs and email, sending infected files or phishing links to exploit the vulnerability and gain access to the system.

Creating a secure communication environment

When organizing corporate communications, businesses typically choose one of three trajectories: utilizing specialized solutions, using popular messengers, or developing their own messaging app.

Among the options available, the use of popular messengers is the most dubious. While platforms such as WhatsApp, Telegram, and even Signal may be convenient, their security protocols and protection tools do not always meet established security standards.

Acknowledging the risks associated with popular messengers, many companies opt for a compromise solution by utilizing cloud applications with advanced features suitable for corporate use, such as Slack, Discord, or Wickr.

But these alternative messengers are also not always characterized by a high level of security. For instance, in 2022, Slack disclosed a critical vulnerability that allowed hackers to steal cookies with user data and hijack accounts.

The second category of specialized software pertains to solutions exclusively developed for corporate communication and delivered in an on-premises or cloud-based format. There are also dully decentralized, peer-to-peer solutions. These communication tools are usually designed to fulfill all security requirements and include features required for secure applications, including:

• End-to-end and asymmetric encryption by default
• Multi-factor authentication
• Automatic deletion of message history
• Protection against taking screenshots
• Verified encryption algorithms and protection protocols

However, it is crucial to recognize that even such programs may harbor vulnerabilities that may not be apparent to developers but are exceedingly convenient for attackers, particularly if DevSecOps principles were not employed.

As an illustration, a messenger, even if classified as secure, may request some kind of registration data or a user's phone number during sign-up. This information may be stored on servers or in the cloud and, in some cases, even remain unencrypted.

When deciding to develop messaging software, it is crucial to focus not only on its functions but also on its architecture. The program must enable communication via a closed and encrypted channel and should not request any potentially sensitive information, such as a phone number. This data can be exploited to identify particular users and reconstruct the communication trail if needed.

Another important function of a messenger is the lack of a conventional server for data storage. The risks associated with a company storing data on third-party servers are evident. We frequently come across news reports where attackers breach third-party hosting that contains a company's virtual machines with access to the internal system.

The degree of risk associated with storing confidential data on any kind of server depends on the security maturity level of a company. In general, it is better to store all sensitive data on users' devices. It is also advisable to use the built-in auto-delete function, which deletes the received and sent message queue after several days or even hours.

To enhance protection, mobile device management (MDM) policies can be used. MDM enables IT administrators to control and secure company data on employee devices. It includes features like remote wiping of data, blacklisting of apps, and enforcing passcodes. Besides, such things as containerization help isolate and separate work data from personal data on employee devices.

Working on a culture of safe communication is crucial too. To increase the readiness of employees for non-standard situations, continuous improvement of security training is required. Simply conducting lectures and training sessions on information security as a formality is insufficient. It is essential to ensure these efforts are effective.

Conclusion

As ChatGPT and other AI systems become more prevalent, phishing attacks utilizing messengers and other communication channels are becoming more advanced. It is crucial to prioritize information security and take preventative measures to address new challenges.

About the Author

Alex Vakulov is a cybersecurity researcher with over 20 years of experience in virus analysis. Alex has strong malware removal skills. He is writing for numerous security-related publications sharing his security experience.