Vishing – or voice phishing – campaigns are gaining momentum. As the coronavirus crisis continues and many large companies ask their employees to keep on working from home, teleworkers are a lucrative target for cybercriminals. Using a combination of one-on-one phone calls and custom-made phishing websites they try to trick workers into giving away their company login credentials.
Vishing Attacks on the Rise
Last week, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory in response to a substantial increase in vishing campaigns since approximately mid-July. According to the joint cybersecurity advisory, attackers especially target the US private sector. The note does not name targeted companies but instead describes the techniques scammers use.
Working from home is hardly a new phenomenon, but the coronavirus has made it an unplanned requirement for many employees. As a result, there has been an uptick in the use of corporate virtual private networks (VPNs). Individuals are logging onto their company network en masse, meaning there are more opportunities available for fraudsters to exploit.
Under remote working measures, businesses had to suddenly shift from in-person verification to remote authentication. This means they should be taking extra precautions to ensure that the person behind a screen is indeed who they say they are. Unfortunately, this does not always happen. Moreover, cybercriminals are brushing up their social engineering skills, further paving the way for cyberattacks, fraud, and identity theft.
Scammers Use Similar Patterns
Cybercriminals tend to use similar patterns to carry out their attacks, the two cybersecurity agencies warn. First, fraudsters register domain names that include the target company’s name in combination with words such as “support”, “employee”, “ticket”, or “okta”. Shortly after, they create phishing pages that duplicate the company’s internal VPN login page, including a pop-up dialog or another page to capture two-factor authentication (2FA) or a one-time password (OTP).
Using mass scraping of public profiles on social media platforms, professional networking websites, and publicly available background check services, they then collect large amounts of personal information on the target companies’ employees. Next, the scammers use VoIP numbers to call victims on their personal cell number, posing, for example, as a member of their company’s IT help desk. Some cybercriminals even manage to spoof legitimate numbers from the victim’s colleagues at the office, while others try SIM swap attacks.
During the call, the scammers try to convince their victim that something is wrong with the companies’ VPN and that they need to use a new VPN link instead. The goal is to convince the victim to divulge their credentials or to input them manually on a fake website, using 2FA or OTP. To the victim, this extra layer of “protection” gives them the false feeling that the fraudster’s story is legitimate. Using the vished credentials, the cybercriminals then proceed with their scam, either gathering further information, and/or accessing the company network, with the end aim being to fraudulently obtain funds.
Recommendations for Organizations and End-Users
In their joint advisory, the FBI and CISA shared tips and recommendations for organizations as well as end-users. Organizations are advised to restrict VPN connections to managed devices only, restrict VPN access hours, harden existing security defences, and increase security awareness. Other mitigating measures include domain monitoring, scanning and monitoring of web applications, and employing the principle of least privilege (PoLP). This principle promotes minimal privileges on computers based on what the user needs to perform a task or do his job.
Tips for end-users include:
- Always check web links for any misspellings or “not completely right” domain names
- Instantly bookmark your company’s VPN url and do not visit any other URL’s on the sole basis of a phone call
- Be cautious when someone unknown to you or a familiar name you were not expecting a call from contacts you out of the blue and requests you to say or do something that you are unsure off or not comfortable with
- Avoid sharing any sensitive information over the phone and/or with someone whose identity you cannot, or did not, verify
- If you suspect vishing, note down the phone number of the caller and the domain name the scammer tries to send you to. Share this information with your employer and/or law enforcement.
- Limit the amount of personal information you share online
- Regularly review your security and privacy settings on apps and social media
In the article “work safely from home” we provide step-by-step instructions on how to work safely from home. Now, during the coronavirus crisis, but also in the future.