FBI, CISA Alert of Surge in Vishing Cyberattacks on Remote Workers

Hackers are targeting employees working remotely amid the COVID-19 pandemic with a voice phishing, or “vishing,” campaign to obtain enterprise login credentials for mining company databases for personal information that can be used in later cyberattacks, according to a joint alert from the FBI and the Department of Homeland Security Cybersecurity and Infrastructure agency. 

This is the second massive vishing campaign reported amid the pandemic. In June, IRONSCALES determined remote healthcare workers were being targeted with a vishing campaign designed to exploit legacy technology used to send voicemail messages to employees. 

Remote work has surged amid the coronavirus crisis, resulting in massive number employees leveraging corporate Virtual Private Networks (VPNs) and a lack of in-person verification. In response, hackers launched a vishing campaign in mid-July, targeting employee tools across a range of sectors to monetize access. 

“Using vished credentials, cybercriminals mined the company databases for their customers’ personal information to leverage in other attacks,” officials warned. “The monetizing method varied depending on the company but was highly aggressive with tight timeline between the initial breach and the disruptive cash-out scheme.” 

These attacks followed a common scheme: the hacker first registered domains and created phishing pages designed to replicate a company’s internal VPN login page, while capturing two-factor authentication (2FA) or one-time passwords (OTP). 

The pages were also used to collect Secure Sockets Layer (SSL) certificates for the registered domain. Officials explained the threat actors created a range of domain naming schemes, such as support-[company name], ticket-[company], employee-[company], [company]-support, and [company-okta]. 

The hackers would then build complete dossiers on each employee at the targeted company through a mass-scraping campaign that would pull data from social media sites, recruiter and marketing tools, background check services, and open-source research. 

This effort would provide the hackers with names, home addresses, personal cellphone numbers, home phone numbers, their position at the targeted company, and how long they’ve been at the company. 

After compiling the profiles, the attackers would then use unattributed Voice-over-Internet-Protocol (VoIP) numbers to call targeted employees on their personal cellphones, later using spoofed numbers of other employees and offices from the targeted company. 

Then, using social engineering techniques, the hackers would sometimes pose as an IT member of the targeted company and use the collected information on the employee to gain their trust. Once accomplished, they’d notify the employee that they’d be sent a new VPN link that would require them to login with their 2FA or OTP. 

The hacker would then log the information provided by the employee and use it in real-time to gain access to company tools through the employee’s account. Attackers were also observed using a SIM-Swap attack to bypass 2FA or OTP. Both of the attack methods proved successful. 

“The actors then used the employee access to conduct further research on the victims, and or to fraudulently obtain funds using varying methods dependent on the platform being accessed,” officials explained. 

Given the success of these campaigns, CISA and FBI officials provided multiple mitigation steps for organizations. To begin, enterprises should employ domain monitoring, which will track any changes to or the creation of brand-name domains. 

 VPN connections to managed devices must be restricted using hardware checks or installed certificates, which will ensure user input alone is not enough to access the enterprise VPN. Administrators should also restrict VPN access hours whenever applicable, which can reduce access outside of the permitted hours.  

Further, web applications will need to be actively scanned and monitored for unauthorized access, modification, and anomalous activities. Administrators should employ the principle of least privilege, implementing software restriction policies and other controls and monitoring user access and usage. 

Enterprises should also consider implementing a formalized authentication process for employee-to-employee phone communications that require authentication before sensitive information can be shared. 

Lastly, to reduce employee authentication attempts, the enterprise will need to bolster 2FA and OTP messaging. 

Healthcare organizations should also review telework and VPN insights from the National Security Agency, as well as the American Hospital Association and the American Medical Association to strengthen the technologies used to support teleworkers amid the COVID-19 crisis.