FBI, CISA Warn About Vishing Campaign Targeting Teleworkers
In the wake of news that attackers have been carrying out a successful voice phishing campaign against companies for a month, government orgs offered tips on how employees working from home can mitigate future attacks.
The U.S. government is doubling down on recent warnings published last week around an alarming increase in voice phishing, or vishing, attacks, taking aim at companies.
Both the Federal Bureau of Investigation and the Cybersecurity & Infrastructure Security Agency warned last week of an ongoing campaign, that takes advantage of much of the country's workforce being remote.
The joint advisory says the campaign's successfulness can be traced to "a mass shift to working from home, resulting in increased use of corporate virtual private networks (VPNs) and elimination of in-person verification.”
In the advisory, the government organizations claim that since mid-July, cybercriminals have been using phony voice messages purporting to come from a higher authority, in hopes of getting access to employee tools, eventually monetizing the access.
"Using vished credentials, cybercriminals mined the victim company databases for their customers' personal information to leverage in other attacks,” the advisory reads.
Krebs' story looked at one group that uses phone calls and custom phishing sites to steal company VPN credentials; Wired's story looked at the hacks through the lens of July's Twitter hack, in which attackers commandeered accounts belonging to CEOs, politicians, and celebrities.
Common threads of the attack involve fake but legitimate looking versions of company VPN login pages. According to the FBI, attackers also used Secure Sockets Layer (SSL) certificates for domains they registered to make them appear real.
The domains mimic the following naming schemes:
After performing reconnaissance on targets - gathering names, addresses, positions, and how long they've been at a company, the attackers used VoIP numbers to dial them directly. Using a combination of social engineering tactics - disguising themselves as a member of the company's IT team, using some of their personal data - the attackers convinced victims they'd be sending along a new VPN link, along with a two factor authentication passcode or one time password.
If employees approved the prompt or responded with a 2FA code, that's all the attackers needed to access the company's network in order to steal data and gain a foothold for future attacks.
While it likely requires a higher level of difficulty from the attacker, other attacks have utilized a SIM swapping - an attack in which someone contacts your wireless carrier and convinces them they are you, via previously leaked data - to sidestep 2FA and one time password authentication, the FBI and CISA claim.
To prevent attacks like this the groups are encouraging organizations to tighten up VPN security by restricting connections to managed devices only, cutting back access hours, to scan and monitor web apps for access, modification, and activities which fall outside of the norm, and to streamline 2FA and one time password messaging to ensure employees are on the same page.