Two law enforcement agencies are warning businesses to be alert to a new vishing security threat as hackers target remote workers during the Covid-19 pandemic.
The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) in the US have issued a joint-security advisory, stating that the shift to home working and increased use of VPNs has led to a new vishing campaign being launch by threat actors.
Vishing, or voice phishing, is a social engineering technique used by fraudsters; pretending to anyone from IT support, to a third-party provider. Campaigns can be convincing and rely on deep understanding of company’s structures.
Analysts have suggested the high-profile breach at Twitter, which saw celebrity accounts targeted in a Bitcoin scam, could have been the result of a vishing attack.
It says: “In mid-July 2020, cybercriminals started a vishing campaign—gaining access to employee tools at multiple companies with indiscriminate targeting—with the end goal of monetizing the access. Using vished credentials, cybercriminals mined the victim company databases for their customers’ personal information to leverage in other attacks. The monetizing method varied depending on the company but was highly aggressive with a tight timeline between the initial breach and the disruptive cashout scheme.”
What is Vishing and How Does it Work?
Vishing attacks occur when victims receive fraudulent phone calls by hackers posing as someone else, often a colleague from an IT helpdesk or support service. They use the call to extract personal information from the victim which allows them to access secure systems.
In this recent example, threat actors register domains and created phishing pages duplicating a company’s internal VPN login page, also capturing two-factor authentication (2FA) or one-time passwords (OTP), the advisory says.
They then compiled dossiers on the employees at the specific companies using mass scraping of public profiles on social media platforms, recruiter and marketing tools, publicly available background check services, and open-source research to collect personal information.
Using unattributed VoIP numbers, the threat actors contacted targeted employees on their personal cellphones, and later began incorporating spoofed numbers of other offices and employees in the victim company.
The actors used social engineering techniques and, in some cases, posed as members of the victim company’s IT help desk, using their knowledge of the employee’s personal details, to gain their trust before sending them a link requiring that they enter their login, including any 2FA or OTP, which could then be used to gain access to their company’s systems in real time.
“In some cases, unsuspecting employees approved the 2FA or OTP prompt, either accidentally or believing it was the result of the earlier access granted to the help desk impersonator,” the FBI explains.
“In other cases, attackers have used a SIM-Swap attack2 on the employees to bypass 2FA and OTP authentication.
“The actors then used the employee access to conduct further research on victims, and/or to fraudulently obtain funds using varying methods dependent on the platform being accessed.”
How to prevent vishing in your organisation
The FBI and CISA has issued the following advice to companies who want to ensure the threat posed by vishing is kept to a minimum:
- Restrict VPN connections to managed devices only, using mechanisms like hardware checks or installed certificates, so user input alone is not enough to access the corporate VPN.
- Restrict VPN access hours, where applicable, to mitigate access outside of allowed times.
- Employ domain monitoring to track the creation of, or changes to, corporate, brand-name domains.
- Actively scan and monitor web applications for unauthorized access, modification, and
- Employ the principle of least privilege and implement software restriction policies or othercontrols; monitor authorized user accesses and usage.
- Consider using a formalized authentication process for employee-to-employee
communications made over the public telephone network where a second factor is used to authenticate the phone call before sensitive information can be discussed.
- Improve 2FA and OTP messaging to reduce confusion about employee authentication attempts.