The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint security advisory on Thursday, warning about an ongoing wave of vishing attacks targeting the US private sector.
Vishing, or voice phishing, is a form of social engineering where criminals call victims to obtain desired information, usually posing as other persons.
According to the FBI and CISA, in mid-July 2020, cybercriminals started a vishing campaign targeting employees working from home for US companies. The attackers collected login credentials for corporate networks, which they then monetized by selling the access to corporate resources to other criminal gangs.
The two cyber-security agencies didn't name targeted companies, but instead described the technique the attackers used, which usually followed the same pattern.
Per the two agencies, cybercrime groups started by first registering domains that looked like company resources, and then created and hosted phishing sites on these domains. The domains usually had a structure like:
The phishing pages were made to look like a targeted company's internal VPN login page, and the sites were also capable of capturing two-factor authentication (2FA) or one-time passwords (OTP), if the situation required.
Criminal groups then compiled dossiers on the employees working for the companies they wanted to target, usually by "mass scraping of public profiles on social media platforms, recruiter and marketing tools, publicly available background check services, and open-source research."
Collected information included: name, home address, personal cell/phone number, the position at the company, and duration at the company, according to the two agencies.
The attackers than called employees using random Voice-over-IP (VoIP) phone numbers or by spoofing the phone numbers of other company employees.
"The actors used social engineering techniques and, in some cases, posed as members of the victim company's IT help desk, using their knowledge of the employee's personally identifiable information—including name, position, duration at company, and home address—to gain the trust of the targeted employee," the joint alert reads.
"The actors then convinced the targeted employee that a new VPN link would be sent and required their login, including any 2FA or OTP."
When the victim accessed the link, for the phishing site hackers had created, the cybercriminals logged the credentials, and used it in real-time to gain access to the corporate account, even bypassing 2FA/OTP limits with the help of the employee.
"The actors then used the employee access to conduct further research on victims, and/or to fraudulently obtain funds using varying methods dependent on the platform being accessed," the FBI and CISA said.
The two cyber-security agencies are now warning companies to keep on the lookout for threat actors targeting their telework (work-from-home) employees using this technique.
To help companies, FBI and CISA experts shared a series of tips and recommendations for companies and their employees, which we'll reproduce below.