After news that attackers have been carrying out a successful voice phishing campaign against companies for circa a month, US Govt. orgs. have put-out advice on how home-working employees can defend against this.
The US Govt. is emphasising recent warnings published last week about an increase in voice phishing, or vishing, attacks, targeting companies.
Both the Federal Bureau of Investigation (FBI) & the US Cybersecurity & Infrastructure Security Agency (CISA) warned of an ongoing campaign, that takes advantage of a remote workforce.
The joint-advisory says the campaign’s success is because of a to “a mass change to working from home, resulting in increased use of corporate virtual private networks (VPNs) & elimination of in-person verification.”
These American organisations claim that since mid-July, cyber-criminals have been using phony voice messages pretending to come from a higher authority, to try to get access to employee tools, eventually monetising the access.
“Using vished credentials, cyber-criminals mined the victim company databases for their customers’ personal information to leverage in other attacks,” the advisory read.
The warning came soon after cyber-security writers Brian Krebs, via his Krebson Security blog, & Andy Greenberg, through Wired, cautioned that there has been an increase in phone spear-phishing attacks.
Krebs’ examined 1 group that uses phone calls & custom phishing sites to steal company VPN credentials. Wired’s story looked at the hacks from the perspective of July’s Twitter hack, in which attackers took over accounts belonging to CEOs, politicians, & celebrities.
Features of attacks are phoney but real-looking versions of company VPN login pages. Attackers also used Secure Sockets Layer (SSL) certificates for domains they registered to make them appear real said the FBI.
The domains impersonate the following naming schemes:
Following researching targets through gathering names, addresses, positions, & length of service with a company, the attackers used VoIP numbers to dial them directly. Using a mixture of social engineering tactics, e.g. disguising themselves as a member of the company’s IT team or using some of their personal data.
The attackers fooled targets into thinking they would be sending along a new VPN link, together with a 2-factor authentication passcode or 1-time password.
If staff approved the prompt or responded with a 2FA code, the attackers gained access to the company’s network to steal data & gain a way-in for future attacks.
While it likely gives greater difficulty for the attacker, other attacks have used a ‘SIM swapping’. This is an attack in which someone contacts your wireless carrier & impersonates you, via previously leaked data so as to sidestep 2FA & 1-time password authentication, the FBI & CISA claim.
To stop attacks the groups are asking organisations to tighten up VPN security by restricting connections to managed devices only, reducing access hours, to scan & monitor web apps for access, modification, & activities which ‘fall outside of the norm’, & to streamline 2FA & 1 time password messaging to ensure employees are fully aware.