The U.S. law enforcement bodies, the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA), have in a joint advisory warned of a new attack/scam vector being used to target the remote workforce. Known as phone phishing or vishing, these vectors have surfaced mid-July and have been targeting corporate employees to gain access to their company’s internal systems.
How Does a Vishing Attack Work?
Vishing attack is a combination of “voice” and “phishing.” Vishers generally make use of an internet telephone service like Voice-over-Internet Protocol (VoIP) for impersonating a person or legitimate business to scam people. Attackers use social engineering techniques to trick people into giving up their information. They also create fake Caller ID profiles (called Caller ID spoofing) to make any phone number look legitimate. The only goal of a vishing attack is to steal the victims’ money and/or identity.
The Modus Operandi
- The cybercriminals first registered phishing domains identical to the targeted company’s resources, for example, their internal VPN login page, and then created phishing portals on these domains. To add a flavor of authenticity, the malpractitioners also added two-factor authentication (2FA) and/or one-time passwords (OTP), if present. Some of the most common naming schemes used were: support-[company], ticket-[company], employee-[company], [company]-support, [company]-okta
- Cybercriminals then compiled a database of all the employees working for the target companies by scraping through their public profiles on social media platforms, recruiter tools, background check services through public forums, and open-source research.
- They collected employee information which included name, home address, personal cell/phone number, the position at the company, and duration at the company.
- Once the research was thorough and complete, the cybercriminals tele-called the employees using random Voice-over-Internet Protocol (VoIP) to fool them. At a later stage, they even began spoofing the phone numbers of other employees to win over their victims’ trust.
- In certain instances, it was observed that the cybercriminals used social engineering techniques such as impersonating themselves as the company’s IT help desk. They used the PII of the employees obtained from various platforms to make them believe about their identity and once trusted they asked them to send the 2FA or OTP validation received for a VPN credential reset.
- Additionally, they also used a sim-swapping or sim jacking technique on the targeted employees to obtain the 2FA or OTP credentials.
- On gaining internal system access, the criminals then searched the mainframe computer for valuable and confidential information which could be stolen for monetary benefits.
Mitigation Steps
These types of vishing attacks previously were known to primarily target the telecommunication sector, however, it is now spreading like wildfire because of the distributed and remote workforce. Thus, to avoid these vishing attacks, the following can be done:
- Allow VPN access only to managed devices.
- If possible, restrict VPN access hours.
- Keep an eye on fake domain names similar to your company’s domain(s).
- Implement the least privilege access principle to avoid unwanted access.
- Implement an employee-to-employee secondary verification mechanism while communicating over the public telephone or cellular line.
