Cyber Crime

Hackers are targeting teleworkers with vishing campaign, CISA and FBI warn

The FBI and CISA issued a joint alert to warn teleworkers of an ongoing vishing campaign targeting entities from multiple US sectors.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint security advisory to warn teleworkers of an ongoing vishing campaign targeting organizations from multiple US industry industries.

Voice phishing is a form of criminal phone fraud, using social engineering over the telephone system to gain access to private personal and financial information for the purpose of financial reward. 

Hackers aim at collecting login credentials for networks of the target organizations, then they attempt to monetize their efforts by selling access to corporate resources in the cybercrime underground.

The campaign is worrisome due to the ongoing COVID-19 pandemic that caused the spike in the number of employees working from home and the increase in the use of corporate VPN and elimination of in-person verification.

“In mid-July 2020, cybercriminals started a vishing campaign — gaining access to employee tools at multiple companies with indiscriminate targeting—with the end goal of monetizing the access,” reads the alert.

“Using vished credentials, cybercriminals mined the victim company databases for their customers’ personal information to leverage in other attacks. The monetizing method varied depending on the company but was highly aggressive with a tight timeline between the initial breach and the disruptive cashout scheme.”

The agencies provide technical details about the attack technique used by cybercriminals.

Threat actors initially registered domains and created phishing pages that look like the company’s internal VPN login page, the hackers also attempt to trick victims into providing two-factor authentication (2FA) or one-time passwords (OTP). Attackers also obtained Secure Sockets Layer (SSL)
certificates for the domains they registered and used a variety of domain naming schemes, including the following examples:

  • support-[company]
  • ticket-[company]
  • employee-[company]
  • [company]-support
  • [company]-okta

Threat actors compiled dossiers on the employees working for the companies they wanted to target, they gathered their data by scraping of public profiles on social media platforms, recruiter and marketing tools, publicly available background check services, and open-source research.

Attackers collected information such as name, home address, personal cell/phone number, the position at the company, and duration at the company.

Then threat actors directly called employees on their personal cellphones using random Voice-over-IP (VoIP) phone numbers or by spoofing the phone numbers of other company employees.

“The actors used social engineering techniques and, in some cases, posed as members of the victim company’s IT help desk, using their knowledge of the employee’s personally identifiable information—including name, position, duration at company, and home address—to gain the trust of the targeted employee,” continues the alert.

“The actors then convinced the targeted employee that a new VPN link would be sent and required their login, including any 2FA or OTP.”

When the victim provided their data through the phishing site, including 2FA or OTP, the attackers used it in real-time to gain access to the corporate account. In some cases,
bad actors used a SIM-Swap attack on the employees obtain the 2FA and OTP authentication code sent to the victims’ phones.

“The actors then used the employee access to conduct further research on victims, and/or to fraudulently obtain funds using varying methods dependent on the platform being accessed,” the FBI and CISA said.

The two agencies shared a series of recommendations for companies and their employees:

Organizational Tips:

  • Restrict VPN connections to managed devices only, using mechanisms like hardware checks or installed certificates, so user input alone is not enough to access the corporate VPN.
  • Restrict VPN access hours, where applicable, to mitigate access outside of allowed times.
  • Employ domain monitoring to track the creation of, or changes to, corporate, brand-name domains.
  • Actively scan and monitor web applications for unauthorized access, modification, and anomalous activities.
  • Employ the principle of least privilege and implement software restriction policies or other controls; monitor authorized user accesses and usage.
  • Consider using a formalized authentication process for employee-to-employee communications made over the public telephone network where a second factor is used to authenticate the phone call before sensitive information can be discussed.
  • Improve 2FA and OTP messaging to reduce confusion about employee authentication attempts.

End-User Tips:

  • Verify web links do not have misspellings or contain the wrong domain.
  • Bookmark the correct corporate VPN URL and do not visit alternative URLs on the sole basis of an inbound phone call.
  • Be suspicious of unsolicited phone calls, visits, or email messages from unknown individuals claiming to be from a legitimate organization. Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information. If possible, try to verify the caller’s identity directly with the company.
  • If you receive a vishing call, document the phone number of the caller as well as the domain that the actor tried to send you to and relay this information to law enforcement.
  • Limit the amount of personal information you post on social networking sites. The internet is a public resource; only post information you are comfortable with anyone seeing.
  • Evaluate your settings: sites may change their options periodically, so review your security and privacy settings regularly to make sure that your choices are still appropriate.
  • For more information on how to stay safe on social networking sites and avoid social engineering and phishing attacks, visit the CISA Security Tips below:
[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, vishing)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

11 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

17 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.