Splunk today unveiled a comprehensive guide designed to empower security teams to detect Remote Employment Fraud (REF) during the critical onboarding phase—when imposters have already passed through HR vetting and background checks and gained network access.
Building on the inaugural blog, “Imposters at the Gate: Spotting Remote Employment Fraud Before It Crosses the Wire,” this second installment dives into the technical indicators that reveal fraudulent actors once they’re inside your infrastructure.
Armed with actionable Splunk queries and integrations, organizations can now bolster defenses at the final frontier of REF: the post-hire environment.
A deceptively simple process—shipping a corporate laptop—can expose REF actors. Fraudsters frequently request delivery to locales that don’t match their stated home address, offering elaborate excuses like medical emergencies or temporary relocations to mask the discrepancy.
While individual instances may be innocuous, Splunk demonstrates how correlating applicant tracking data with asset management logs uncovers patterns of suspicious behavior.
The guide’s featured SPL (Search Processing Language) query joins ServiceNow laptop shipment records with Workday employee profiles, flagging cases where the home_state field diverges from the delivered_location.
Security teams can synchronize with asset management to ingest shipping data into Splunk and leverage this query to generate alerts when mismatches occur.
By extending the lookup to global regions and automating string-matching logic, enterprises can achieve real-time detection without manual validation delays.
Monitoring Nonstandard VPN Usage
Once on a corporate device, REF actors often route traffic through VPN services to conceal their true location.
Splunk’s recommended approach involves ingesting IdP (Identity Provider) logs—such as Okta or Duo—to detect connections originating from known VPN or VPS providers not sanctioned by policy.
A sample SPL query scans for tunnels matching providers like NordVPN, Mullvad, or ProtonVPN. By maintaining and baselining an approved VPN list, security teams can filter legitimate remote access from potential fraud.
Complementing VPN detection, Splunk addresses “improbable travel” events, where rapid logins from geographically distant locations hint at location spoofing or multiple hop points.
Utilizing the Authentication Data Model within Splunk Enterprise Security, the guide illustrates how to calculate session speed and distance, flagging travel speeds that exceed humanly possible thresholds (for example, over 500 km/h and 750 km within short timeframes).
This strategy focuses on new joiners, minimizing false positives for senior staff who may legitimately travel extensively.
REF actors have been observed leveraging virtual audio/video devices to mask their true location during collaboration calls.
Splunk’s guide outlines how to baseline common camera, microphone, and speaker identifiers in Zoom, Webex, or Teams logs, then apply the rare command to spotlight devices virtually unseen in normal operations.
A follow-up SPL example correlates Zoom participant metrics with Workday HR records to detect location mismatches between Region and HR’s registered state.
High video latency also serves as an informative signal. By analyzing Zoom meeting QoS metrics—specifically average video latency—security teams can flag sessions exceeding thresholds (e.g., 300 ms), which may indicate routing through remote farms or streaming intermediaries.
Finally, the guide delves into detecting unauthorized remote access tools (RATs and RMMs) on endpoints. Using EDR logs from solutions like CrowdStrike or SentinelOne, Splunk recommends auditing process command lines and application names against curated lists of tools such as Splashtop or TeamViewer.
Baseline reporting distinguishes corporate-licensed tools from those commonly abused by fraudsters, helping administrators block or alert on prohibited software execution.
Splunk’s new guide positions technical teams to reclaim control of their onboarding pipeline, layering multiple indicators—from asset shipment checks to IdP and collaboration log analysis—to thwart REF actors before they inflict damage.
By partnering closely with HR, legal, and asset management functions and leveraging Risk-Based Alerting within Splunk Enterprise Security, organizations can achieve a holistic, risk-informed posture against this emerging threat.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
