Alert: Vishing Attacks Are SurgingFBI, CISA Warn: Hackers Targeting Those Who Are Working at Home
The FBI and the U.S. Cybersecurity and Infrastructure Security Agency warn that hackers are increasingly using voice phishing, or vishing, to target employees who are working from home due to the COVID-19 pandemic.
See Also: Top 50 Security Threats
In a joint alert, the FBI and CISA warn of an ongoing, widespread vishing campaign that started in mid-July and is targeting remote workers to steal log-in credentials and other data and then use that information to launch other attacks or to steal financial data.
"Using vished credentials, cybercriminals mined the victim company databases for their customers' personal information to leverage in other attacks," according to the alert. "The monetizing method varied depending on the company but was highly aggressive, with a tight timeline between the initial breach and the disruptive cash out scheme."
Vishing fraudsters use a variety of social engineering techniques over the telephone or by leaving voice messages to trick victims into providing credentials or other personal data. Since the start of the COVID-19 pandemic, law enforcement agencies in the U.S. and elsewhere have warned of an increase in fraud, including vishing and other phishing scams, that targets at-home employees (see: Global Cybercrime Surging During Pandemic).
The increase in social engineering tactics, such as those used with phishing or vishing, points to the need for companies to redesign security for the long-term shift to working from home, says Ray Kelly, principal security engineer at WhiteHat Security
"Proper employee training and employing services that test human susceptibility to social engineering attacks, such as email spear phishing, voice phishing and in-person attacks, can be vital to help prevent employees from being the security gap in any organization," Kelly tells Information Security Media Group.
Brian Honan, president of Dublin-based cybersecurity consultancy BH Consulting, says that while vishing is not a new type of fraud, the fact that employees are now at home makes them more susceptible.
"With more employees working remotely for the first time, criminals are taking advantage of the situation to make their attacks more successful," Honan tells Information Security Media Group. "Companies need to reassess the security of their remote workers. Not just for these type of attacks, but also consider that their workers are now working from potentially less secure environments than their normal workplaces as they use consumer-level devices, such as home WiFi routers."
The release of the joint FBI and CISA alert was first reported by security blogger Brian Krebs on Friday. The warning was also posted to several state agency websites before being pulled down.
While the FBI and CISA did not name the organizations targeted by these attacks, the alert notes that the same attack pattern was used several times.
The two agencies warn that the initial steps of this vishing campaign involve fraudsters registering fake domains and creating pages duplicating an organization's internal VPN login page to harvest two-factor authentication credentials or one-time passwords.
"Actors also obtained Secure Sockets Layer certificates for the domains they registered and used a variety of domain naming schemes like support-[company], ticket-[company], employee-[company], [company]-support, and [company]-okta," according to the alert.
The fraudsters then form a dossier of the employees at the organizations they are targeting using public profiles on social media platforms, recruiter and marketing tools, publicly available background check services and open-source research, according to the alert. The scammers are able to ascertain information, such as the victim's name, home address, telephone number, position at company and length of employment.
"Actors first began using unattributed Voice over Internet Protocol numbers to call targeted employees on their personal cell phones, and later began incorporating spoofed numbers of other offices and employees in the victim company," the alert notes.
Social Engineering Techniques
The fraudsters use social engineering techniques, such as posing as IT help desk staff members. The scammers use employees' personal information to gain trust and help convince them that a new VPN link is being sent and that they would need their credentials to complete the process, according to the alert.
"The actor logged the information provided by the employee and used it in real time to gain access to corporate tools using the employee’s account," the alert notes.
In other cases, the FBI and CISA note, fraudsters use SIM-swapping techniques to bypass two-factor authentication and one-time password protections. SIM-swapping usually involves persuading a carrier's customer service representative to move a phone number to a different SIM card - a swap - or port it to another carrier. In other cases, criminal gangs may work with an employee of a mobile operator, who is then able to bypass security mechanisms and transfer a subscriber's number (see: How Wireless Carriers Open the Door to SIM Swapping Attacks).
An Effective Fraud Tactic
Chris Hazelton, a director at security firm Lookout, notes that this type of vishing scheme is becoming more effective than other phishing methods as a way to persuade employees to give fraudsters access to their credentials and other data.
"Receiving a call from a confident, well-spoken actor who is using public information from social networks, or corporate data from already breached corporate directories, goes a lot further than a phishing email with misspellings or incorrect terms," Hazelton tells ISMG. "Attackers that guide targets through a multistep authentication process that mirrors the real procedure is something that few users are confident or knowledgeable enough to question as suspicious."