The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint security advisory on Thursday, warning about an ongoing wave of vishing attacks targeting the US private sector.
Vishing, or voice phishing, is a form of social engineering where criminals call victims to obtain desired information, usually posing as other persons.
According to the FBI and CISA, in mid-July 2020, cybercriminals started a vishing campaign targeting employees working from home for US companies. The attackers collected login credentials for corporate networks, which they then monetized by selling the access to corporate resources to other criminal gangs.
How attacks happened
The two cyber-security agencies didn't name targeted companies, but instead described the technique the attackers used, which usually followed the same pattern.
Per the two agencies, cybercrime groups started by first registering domains that looked like company resources, and then created and hosted phishing sites on these domains. The domains usually had a structure like:
- support-[company]
- ticket-[company]
- employee-[company]
- [company]-support
- [company]-okta
The phishing pages were made to look like a targeted company's internal VPN login page, and the sites were also capable of capturing two-factor authentication (2FA) or one-time passwords (OTP), if the situation required.
Criminal groups then compiled dossiers on the employees working for the companies they wanted to target, usually by "mass scraping of public profiles on social media platforms, recruiter and marketing tools, publicly available background check services, and open-source research."
Collected information included: name, home address, personal cell/phone number, the position at the company, and duration at the company, according to the two agencies.
The attackers than called employees using random Voice-over-IP (VoIP) phone numbers or by spoofing the phone numbers of other company employees.
"The actors used social engineering techniques and, in some cases, posed as members of the victim company's IT help desk, using their knowledge of the employee's personally identifiable information—including name, position, duration at company, and home address—to gain the trust of the targeted employee," the joint alert reads.
"The actors then convinced the targeted employee that a new VPN link would be sent and required their login, including any 2FA or OTP."
When the victim accessed the link, for the phishing site hackers had created, the cybercriminals logged the credentials, and used it in real-time to gain access to the corporate account, even bypassing 2FA/OTP limits with the help of the employee.
"The actors then used the employee access to conduct further research on victims, and/or to fraudulently obtain funds using varying methods dependent on the platform being accessed," the FBI and CISA said.
The two cyber-security agencies are now warning companies to keep on the lookout for threat actors targeting their telework (work-from-home) employees using this technique.
Featured
To help companies, FBI and CISA experts shared a series of tips and recommendations for companies and their employees, which we'll reproduce below.
Organizational Tips:
- Restrict VPN connections to managed devices only, using mechanisms like hardware checks or installed certificates, so user input alone is not enough to access the corporate VPN.
- Restrict VPN access hours, where applicable, to mitigate access outside of allowed times.
- Employ domain monitoring to track the creation of, or changes to, corporate, brand-name domains.
- Actively scan and monitor web applications for unauthorized access, modification, and anomalous activities.
- Employ the principle of least privilege and implement software restriction policies or other controls; monitor authorized user accesses and usage.
- Consider using a formalized authentication process for employee-to-employee communications made over the public telephone network where a second factor is used to authenticate the phone call before sensitive information can be discussed.
- Improve 2FA and OTP messaging to reduce confusion about employee authentication attempts.
End-User Tips:
- Verify web links do not have misspellings or contain the wrong domain.
- Bookmark the correct corporate VPN URL and do not visit alternative URLs on the sole basis of an inbound phone call.
- Be suspicious of unsolicited phone calls, visits, or email messages from unknown individuals claiming to be from a legitimate organization. Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person's authority to have the information. If possible, try to verify the caller's identity directly with the company.
- If you receive a vishing call, document the phone number of the caller as well as the domain that the actor tried to send you to and relay this information to law enforcement.
- Limit the amount of personal information you post on social networking sites. The internet is a public resource; only post information you are comfortable with anyone seeing.
- Evaluate your settings: sites may change their options periodically, so review your security and privacy settings regularly to make sure that your choices are still appropriate.
- For more information on how to stay safe on social networking sites and avoid social engineering and phishing attacks, visit the CISA Security Tips below: