Skip to main content

FBI, CISA Warn About Vishing Campaign Targeting Teleworkers

by Chris Brook on Monday August 24, 2020

Contact Us
Free Demo

In the wake of news that attackers have been carrying out a successful voice phishing campaign against companies for a month, government orgs offered tips on how employees working from home can mitigate future attacks.

The U.S. government is doubling down on recent warnings published last week around an alarming increase in voice phishing, or vishing, attacks, taking aim at companies.

Both the Federal Bureau of Investigation and the Cybersecurity & Infrastructure Security Agency warned last week of an ongoing campaign, that takes advantage of much of the country's workforce being remote.

The joint advisory says the campaign's successfulness can be traced to "a mass shift to working from home, resulting in increased use of corporate virtual private networks (VPNs) and elimination of in-person verification.”

In the advisory, the government organizations claim that since mid-July, cybercriminals have been using phony voice messages purporting to come from a higher authority, in hopes of getting access to employee tools, eventually monetizing the access.

"Using vished credentials, cybercriminals mined the victim company databases for their customers' personal information to leverage in other attacks,” the advisory reads.

The warning came a few days after cybersecurity writers Brian Krebs, via his KrebsonSecurity blog, and Andy Greenberg, via a story in Wired, warned about an uptick in phone spearphishing attacks.

Krebs' story looked at one group that uses phone calls and custom phishing sites to steal company VPN credentials; Wired's story looked at the hacks through the lens of July's Twitter hack, in which attackers commandeered accounts belonging to CEOs, politicians, and celebrities.

Common threads of the attack involve fake but legitimate looking versions of company VPN login pages. According to the FBI, attackers also used Secure Sockets Layer (SSL) certificates for domains they registered to make them appear real.

The domains mimic the following naming schemes:

  • support-[company]
  • ticket-[company]
  • employee-[company]
  • [company]-support
  • [company]-okta

After performing reconnaissance on targets - gathering names, addresses, positions, and how long they've been at a company, the attackers used VoIP numbers to dial them directly. Using a combination of social engineering tactics - disguising themselves as a member of the company's IT team, using some of their personal data - the attackers convinced victims they'd be sending along a new VPN link, along with a two factor authentication passcode or one time password.

If employees approved the prompt or responded with a 2FA code, that's all the attackers needed to access the company's network in order to steal data and gain a foothold for future attacks.

While it likely requires a higher level of difficulty from the attacker, other attacks have utilized a SIM swapping - an attack in which someone contacts your wireless carrier and convinces them they are you, via previously leaked data - to sidestep 2FA and one time password authentication, the FBI and CISA claim.

To prevent attacks like this the groups are encouraging organizations to tighten up VPN security by restricting connections to managed devices only, cutting back access hours, to scan and monitor web apps for access, modification, and activities which fall outside of the norm, and to streamline 2FA and one time password messaging to ensure employees are on the same page.

Tags:  Government Phishing

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.