FBI & CISA Sound Alarm on Vishing Attacks Against Remote Workers

The FBI and CISA have warned organizations about a massive vishing campaign against remote workers and recommend steps to ward off the voice-based, socially engineered cyberattacks.

The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) uncovered a vishing campaign targeted against the remote workforce. The malicious campaign, which started mid-July, is currently active and leverages social engineeringOpens a new window to gather sensitive information like corporate login credentials. These credentials are then monetized by selling them or by obtaining funds using various methods.

What is Vishing?

Malicious actors use vishing techniques to fraudulently gain access to corporate resources. Vishing is a combination of voice and phishing wherein the actor calls their target using a phone or VoIP to get their hands on relevant information. It generally involves the malicious actor posing as a trusted person. Recently, attackers behind the Twitter hack used vishing to take over 130 high profile accounts.  

According to the FBI and CISA, the social engineering technique has become popular among attackers as employees shift to remote work.   As of July, the number of people working remotely increased by 60%, opening up opportunities for black hats to take advantage of. Most organizations have facilitated remote work by extending the corporate network to employees via VPN. 

How Vishing Scheme Works

The FBI and CISA issued a joint advisory to warn organizations about a surge in vishing attacks. A day before the release of the advisory, Krebs on SecurityOpens a new window reported, “The COVID-19 epidemic has brought a wave of email phishing attacks that try to trick work-at-home employees into giving away credentials needed to remotely access their employers’ networks.”

See Also: Are You Up to Speed on the Vishing Threat?

Speaking of the vishing campaign, Krebs adds, “One increasingly brazen group of crooks is taking your standard phishing attack to the next level, marketing a voice phishing service that uses a combination of one-on-one phone calls and custom phishing sites to steal VPN credentials from employees.”

The advisoryOpens a new window outlines steps threat actors use to carry out this type of attack. First, web domains with a visual resemblance to corporate websites, resources or VPN login pages are created, complete with Secure Socket Layer (SSL) certifications. Names of these phishing sites are schemed to convey authenticity by including the name of the company within it. 

Some of the examples include: 

• support-[company]
• ticket-[company]
• employee-[company]
• [company]-support
• [company]-okta

Here, the attacker doesn’t even have to tweak the spelling of the company name, eliminating the attack’s reliance on target oversight.

Then, the attackers get their hands on information like the target’s name, home address, personal cell/phone number, the position at company and duration at company through web scraping. Web scraping is quite prevalent  and carried out across social media, networkingOpens a new window and recruitment sites through open source tools. 

See Also: 235M Social Media Accounts From Instagram, TikTok and YouTube Exposed

In the next step, the hacker establishes contact with the target through VoIP and impersonates the IT help desk. They engineer trust with the scraped information like name, job role, etc. Once the trust is established, the threat actor asks the target to log into their VPN which is actually a bogus phishing site intended to capture the user credentials. 

The FBI and CISA note in the joint advisory, “The actors convinced the targeted employee that a new VPN link would be sent and required their login, including any 2FA or OTP.”

In those cases where there’s 2FA or OTP authentication, the target which is now a victim, accepts the authentication request, either by:

• Accident
• The belief that the access is for the IT help desk
• SIM swap attack 2

The advisory further states, “The actor logged the information provided by the employee and used it in real-time to gain access to corporate tools using the employee’s account.”

See Also: It’s Time to Rethink VPN Service for Post Pandemic World

Steps to Mitigate Vishing Attacks

The FBI and CISA outline certain steps for both organizations and end-users, which can help weaken the approach of such attacks.

Tips for Organizations: 

1. Restrict VPN connections to managed devices only, using mechanisms like hardware checks or installed certificates, so user input alone is not enough to access the corporate VPN 
2. Restrict VPN access hours, where applicable, to mitigate access outside of allowed times 
3. Employ domain monitoring to track the creation of, or changes to, corporate, brand-name domains 
4. Actively scan and monitor web applications for unauthorized access, modification, and anomalous activities 
5. Employ the principle of least privilege and implement software restriction policies or other controls; monitor authorized user accesses and usage 
6. Consider using a formalized authentication process for employee-to-employee communications made over the public telephone network where a second factor is used to authenticate the phone call before sensitive information can be discussed 
7. Improve 2FA and OTP messaging to reduce confusion about employee authentication attempts 

Tips for End-Users: 

1. Verify web links do not have misspellings or contain the wrong domain 
2. Bookmark the correct corporate VPN URL and do not visit alternative URLs on the sole basis of an inbound phone call 
3. Be suspicious of unsolicited phone calls, visits, or email messages from unknown individuals claiming to be from a legitimate organization. 
4. Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information. If possible, try to verify the caller’s identity directly with the company 
5. If you receive a vishing call, document the phone number of the caller as well as the domain that the actor tried to send you to and relay this information to law enforcement 
6. Limit the amount of personal information you post on social networking sites. The internet is a public resource; only post information you are comfortable with anyone seeing 
7. Evaluate your settings: sites may change their options periodically, so review your security and privacy settings regularly to make sure that your choices are still appropriate 

Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!