The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint warning on Thursday, warning of the growing threat of voice phishing or “vishing” attacks against companies. Less than 24 hours after publishing an in-depth study of a criminal group that provides services, KrebsOnSecurity published an article that provides a service that people can hire them to steal VPN credentials from employees working remotely during the COVID-19 pandemic. And other sensitive data.
“The COVID-19 pandemic has led to a large-scale shift to working from home, leading to an increase in the use of corporate virtual private networks (VPNs). In mid-July 2020, cybercriminals started a campaign called vishing-gaining indiscriminately. Access to tools for employees of multiple companies-the ultimate goal is to monetize access.”
As pointed out in the report on Wednesday, these agencies stated that the phishing websites set up by the attackers often have hyphens, the name of the target company and certain words are very directional-such as “support”, “ticket” and “employee” . The perpetrator focused on social engineering of new employees of the target company and impersonated the target company’s IT service desk staff.
The FBI/CISA joint alert stated that the vishing group also used public files on social media platforms, recruiters and marketing tools, public background check services, and open source research to search employee files of specific companies on a large scale. It can be seen from the alert.
“The perpetrator first dialed the target employee’s personal mobile phone using an unattributed VoIP number, and then began to combine false numbers from other offices and employees of the victim’s company. The perpetrator used social engineering techniques and in some cases, impersonated Members of the victim’s company’s IT service desk used their knowledge of the employee’s personally identifiable information – including name, position, time at the company, and home address – to gain the trust of the target employee.”
“Then, the actor persuaded the target employee to send a new VPN link and ask them to log in, including any 2FA [two-factor authentication] or OTP [one-time password] security credentials also obtained through this method, and then they Record the information provided by the employee and use the employee’s account to access corporate tools in real time.”
The alert pointed out that in some cases, unsuspecting employees approved the 2FA or OTP prompt, or approved it accidentally. In addition, the attacker can intercept one-time codes by exchanging SIM cards for employees, which involves social engineering personnel of mobile phone companies to allow them to control the target phone number.
These agencies stated that scammers used stolen VPN credentials to mine customers’ personal information in the victim’s company database for use in other attacks.
“The perpetrator then used the employee’s access rights to conduct further research on the victim, and/or use different methods depending on the platform being accessed to fraudulently obtain funds,” the alert read. “The monetization method varies from company to company, but it is highly aggressive, with a tight timetable between the initial violation and the destructive cashing out plan.”
The warning includes some suggestions that companies can implement to help mitigate the threat of these vishing attacks, including.
-Restrict VPN connections to only be used for managed devices, using mechanisms such as hardware checking or installing certificates, so user input alone is not enough to access corporate VPNs.
-Where applicable, limit the access time of the VPN to reduce access outside the allowed time.
-Use domain name monitoring to track the creation or change of corporate and brand domain names.
-Actively scan and monitor network applications to prevent unauthorized access, modification and abnormal activities.
-Adopt the principle of least privilege, implement software restriction policies or other control measures; monitor the access and use of authorized users.
-Consider adopting a formal authentication procedure for employee-to-employee communications via the public telephone network, and use the second factor in it to authenticate phones before discussing sensitive information.
-Improve 2FA and OTP information transmission to reduce confusion in employee certification attempts.
-Make sure that the network link does not have spelling errors or contain incorrect domain names.
-Bookmark the correct corporate VPN URL, and don’t access other URLs only by the incoming phone.
-Be vigilant about unsolicited phone calls, visits, or email messages from unidentified persons claiming to be from legitimate organizations. Do not provide personal information or information about your organization, including its organizational structure, organizational structure, and organizational structure.