Growing threat of "Vishing" warn the FBI and CISA, as a result of the increase in remote work

 

How to avoid Phishing

According to the FBI and CISA (Cybersecurity and Infrastructure Security Agency), there is a new threat that is attracting the attention of important law enforcement agencies.

Said threat is aimed directly at remote workers, whose number has grown during the Covid-19 pandemic. Another reason for this increase in attacks is the use of VPN.

Well, Vishing or voice phishing, as it is also known, is a social engineering procedure or technique widely used by online scammers. Pretending to represent any support agent, service provider, etc; establish contact with companies. Some cybercriminals even have deep knowledge of its main structures.

One of the most notable events took place on the account of various celebrities, attacked with a Bitcoin scam. The experts of the aforementioned security entities state:

“In mid-July 2020, cybercriminals began a vishing campaign, gaining access to employee tools at various indiscriminately targeted companies, with the ultimate goal of monetizing access. By using vished credentials, cybercriminals mined the databases of the victim company for the personal information of their customers to exploit other attacks. The monetization method varied by company, but was very aggressive with a tight schedule between the initial breach and the disruptive recall scheme”.

What is Vishing and how does it work?

Vishing attacks occur when users (or victims) receive phone calls of fraudulent origin from hackers. These scammers pose as a person who provides a service, as a representative of a company or even as technical support for a service that the attack bank previously hired.

Our cybersecurity expert gives us a more detailed description of how Vishing works:

Phishing is a global threat that affects people and businesses every day. The purpose of this attack is to make people provide through calls and messages, all the possible information of their personal accounts, whether bank, social networks, etc. The cybercriminal seeks through these means, to make the victim believe that it is something they need in order to trap them”. Explains José Domingo Abogabir, CEO and General Director of Measured Security

“Threat actors register domains and create phishing pages that duplicate a company’s internal VPN login page, and also capture two-factor authentication (2FA) or one-time passwords (OTP)
”,
says the notice.

After this, the criminals compile files on employees of specific companies that are of interest to them using their social profiles, marketing and recruitment tools as massive backup; as well as verification services.

Using unattributed VoIP numbers, criminals personally communicate with their victims and embed fake numbers of other offices and employees in the target company.

Social engineering techniques are used and many times the personal data known about the employee of the attacked company is used to gain their trust. By impersonating a support engineer, the attacker persuades his victim, who then enters his username (including any 2FA or OTP) and that data is used to gain access to your company’s systems in real time.

In this regard, the FBI explains the following:

“In some cases, unsuspecting employees approved the 2FA or OTP message, either accidentally or believing it was the result of previous access granted to the help desk copycat.

In other cases, attackers have used a SIM-Swap2 attack on employees to bypass 2FA and OTP authentication. The actors then used employee access to conduct further investigations on the victims and / or to obtain funds fraudulently using various methods depending on the platform being accessed.”.

How can you prevent Vishing in your organization

These are some of the tips that the FBI and CISA experts have made public for companies to protect themselves from this type of cyberattacks:

  • Restrict VPN connections only to managed devices with mechanisms such as hardware checks and / or certificates installed, so that the user cannot log in to the corporate VPN alone with their credentials.
  • Restrict VPN access hours to permitted times
  • Employ domain monitoring to always be aware of the creation or changes of brand corporate domains
  • Monitor web applications for unauthorized access and / or unusual activities.
  • Monitor user access and use the principle of least privilege; implement software restriction policies.
  • Enhance 2FA and OTP messaging to reduce confusion about employee authentication attempts.