Cybercriminals take aim at teleworkers, setting up malicious duplicates of companies’ internal VPN login pages
The United States’ Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint advisory to warn about a surge in voice phishing (vishing) attacks targeting staff at a number of companies.
The spike in phone-based phishing attacks can in part be attributed to the COVID-19 pandemic, which has forced companies to shift to telework and led to a boom in the use of virtual private networks (VPN) and the elimination of in-person verification.
According to the advisory, shared by security journalist Brian Krebs, since around mid-July cybercriminals have been able to steal login details into employee tools at a number of companies. “The actors then used the employee access to conduct further research on victims, and/or to fraudulently obtain funds using varying methods dependent on the platform being accessed,” noted the alert.
As part of the campaigns, the black hats created phishing websites that duplicated or resembled the internal VPN login pages of various companies, obtained Secure Socket Layer (SSL) certificates for their domains and gave them various names that use a combination of the company’s name and hyphen and words such as “support” or “employee”.
RELATED READING: 6 tips for safe and secure remote working
The threat actors also gathered information about their targets. “Actors then compiled dossiers on the employees at the specific companies using mass scraping of public profiles on social media platforms, recruiter and marketing tools, publicly available background check services, and open-source research,” reads the advisory. The amassed information included the targets’ names, home addresses, personal cell/phone numbers, and their job roles.
The attackers then went on to contact their marks, first using Voice over Internet Protocol (VoIP) numbers and later using the spoofed numbers of employees and departments from the victim’s company. Using social engineering techniques, the fraudsters impersonated IT help desk workers and used the information from their dossiers to gain the victims’ trust.
From there, the attackers convinced the targets that they would receive a new VPN link that would require their login, including two-factor authentication (2FA) or a one-time password (OTP). In some cases, the 2FA or OTP prompts were approved by employees mistakenly believing access had been granted earlier to the IT desk impersonator, while in other cases attackers employed SIM swapping attacks to circumvent the security measures.
The agencies also shared advice on how companies could mitigate the risks of such attacks. This includes restricting VPN connections to managed devices, employing domain monitoring, and actively scanning and monitoring web applications for unauthorized access.
Lest we forget: vishing was also at the root of last month’s breach at Twitter, where some 130 high-profile accounts were hijacked to peddle a Bitcoin scam.