There is an ongoing voice phishing (vishing) campaign that targets remote employees from numerous industries. The attackers impersonate a respected entity and employ social engineering strategies to get targets to expose the credentials of their company Virtual Private Network (VPN).
The DHS Cybersecurity and infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have released a joint alert regarding the campaign that is ongoing ever since mid-July.
The COVID-19 crisis compelled a lot of employers to let their employees to work from home and link to the company network through VPNs. In case cybercriminals obtain those credentials, they could access the company network.
The threat group initially buys and registers domains to host phishing websites that spoof the internal VPN login page of a company and get SSL certificates for the domains so that they look genuine. A number of naming schemes for making domains look legitimate include [company]-support, employee-[company] and support-[company].
The threat actors then collects information regarding the company workforce by scraping profiles on social media and compiling dossiers on particular employees. They collect personal information such as an employee’s name, personal telephone number, address, work position, and length of time working at the firm. They use the information to earn the confidence of the targeted staff.
After that, employees are contacted using a voice-over-IP (VOIP) number. At first, the VOIP number was unknown, but afterward the attackers begin spoofing the number so that it looks like the call was made by a company office or a different company staff. Employees are then told they are going to get a link that should be clicked to sign in to a new VPN system. They are likewise informed to take action on 2-factor authentication and/or one-time password messages they receive in their mobile phone.
The attackers get the login details as it is inputed into their fake website and employ it to sign in to the company’s real VPN page. They then record and utilize the one-time password and/or 2FA code as soon as the staff responds to the SMS.
The attackers likewise employ SIM-swap to circumvent the 2FA/OTP step by using the data obtained about the worker to enable the mobile phone service provider to port their mobile phone number to the SIM of the attacker. This makes certain the attackers directly get any 2FA code sent. The threat actors utilize the credentials to get access to the corporate network to steal information that can be used in other vhishing attacks. The FBI/CISA mentioned that the goal of the attack is to generate income from the VPN access.
The FBI/CISA advise companies to limit the manage devices provided with VPN connections by performing checks on the hardware or installed certificates, to minimize the hours to use VPNs for accessing the company network, to employ domain monitoring tools to keep track of web apps used for anomalous activities and unauthorized access.
An official authentication process must likewise be set up for employee-to-employee conversations through the public phone network that necessitates a second factor to authenticate the telephone call before disclosing any sensitive data.
Companies must also keep tabs on authorized user access to determine anomalous activities. Employees must be informed about this scam and directed to submit a report to the security team in case of receiving suspicious calls.