COVID-19 continues to force companies to deliver their services remotely. A growing threat perhaps unfamiliar to some readers is Vishing. Vishing is the hacking technique in which phone calls and voicemail messages pretending to be from reputable companies convinces individuals to give out personal information such as banking or credit card numbers, or other non-public personal information. This is similar to phishing and smishing but uses phone systems and voicemail instead of email.
Vishing is On The Rise
The FBI and U.S. Cybersecurity Infrastructure Security Agency (CISA) recently announced a collaborative Cybersecurity Advisory Alert warning employers about the rise in voice phishing, or “vishing,” scams targeting remote workers. Until recently vishing targeted vulnerable populations such as elderly persons, however, the recent shift to remote work environments has emboldened and enabled cybercriminals to take advantage of weakened security protocols and an isolated workforce. In these attacks, targets receive a phone call seeking bank or credit card information for a “compromised” account, or calls from the “IRS” to verify an individual’s Social Security number, or targeted Medicare and Social Security scams.
Recently, vishing scams have evolved into coordinated and sophisticated campaigns aimed at obtaining a targeted company’s confidential, proprietary, and trade secrets. Hackers are accessing this coveted information through a company’s virtual private network (“VPN”) by exploiting a company’s own remote employees. VPNs are widely used in remote work environments to access corporate resources that remain onsite as opposed to in the cloud. While this traditional infrastructure and remote access over a VPN is typically locked down tightly, hackers have found devious ways to circumvent these traditional protections.
The Anatomy of a Sophisticated Vishing Attack
According to the FBI and CISA report, these vishing scams follow a common set of actions:
Phase 1: Reconnaissance
Hackers select a target company and begin exhaustively researching its workforce.
- The attackers compile “dossiers” on employee victims based on “scraping” their social media accounts.
- From an employee’s public social media account profiles (i.e.: Linked In and Facebook), hackers create dossiers which include the employee’s name, location, place of work, position, and employment duration.
- Sometimes employees have public profiles with a great deal more information including home address, hobbies, group memberships, items sold on Craigslist, Facebook Marketplace, and eBay.
Phase 2: Building the Trap
Next, hackers register a domain and create phishing webpages duplicating a company’s internal VPN login page.
- Hackers build look-alike VPN webpages designed to capture an employee’s password and the all-important two-factor authentication token.
This enables a hacker to quickly circumvent these strong protections and quickly enter a company’s VPN and potentially access its sensitive and confidential data.
Phase 3: Executing the Trap
Hackers contact employees on their personal cellphone posing as an IT technician or Help Desk Employee with a serious security concern. Pushback from the employee leads to the escalation of tone and importance at “protecting company resources from attackers!”
- Hackers gain employee trust by leveraging information compiled in each employee’s “dossier” collected in the reconnaissance phase convincing the employee that they need to login to a new VPN link to receive a critical update/patch not otherwise accessible from corporate servers.
- Hackers send the employee a link to the fake VPN page, which looks just like the company’s own VPN login site, having employees input their credentials and signing in.
Hackers now have the employee’s entire suite of credentials.
Phase 4: Extracting the Honey (corporate data)
Hackers use this temporary and limited-time VPN access to mine the company’s databases, records, and files to view and exfiltrate (steal) company information and enhance their ransomware threats by attacking your data’s confidentiality over and above its availability.
- In modern ransomware attacks, hackers threaten to release your confidential information to the public Internet, putting your company’s critical data at risk to online public exposure. This is behind the recent spate of healthcare attacks where hackers threatened to release health records to the public Internet.
The company’s confidential information is up for grabs, leading to substantial ransom costs, forensic fees and costs, employee and customer reputation damage, and potentially significant liability for security breaches
What Should You Do To Protect Yourself?
It’s critical that businesses work with their staff to help them grow their cybersecurity knowledge so they are prepared for attacks like these. CyberHoot recommends you:
- Train your employees on how to spot and avoid vishing attacks and other threats;
- Secure a paid robocall blocking service;
- Employ the principle of least privilege and implementing software restriction policies;
- Monitoring authorized user accesses and usage;
- Deploy a two-factor authentication process for critical employee-to-employee or even employee-to-client communications (such as when you call your bank);
- The second factor is used to authenticate the phone call before sensitive information can be discussed;
- Restrict VPN connections to company-managed devices only. Use mechanisms like hardware checks, installed VPN certificates, and activity timers which reset after a finite amount of time 2-3 hours, requiring re-authentication by employees periodically;
- Restricting VPNs in the following ways:
- Limit allowed access hour times to business hours;
- Enable geolocation filters blocking all access from foreign countries and locations;
- Require strong two-factor authentication and company devices when connecting;
- Employ domain monitoring to track the creation of, or changes to, corporate, brand-name domains;
- Actively scan and monitor web applications for unauthorized access, modification, and anomalous activities.
Conclusions
It’s best to stay ahead of the curve and be aware of the emerging cybersecurity threats to your business and what you should do to secure your business. Work with CyberHoot today to help your business become more aware and more secure through awareness training, policy governance, and phish testing.
To learn more about Vishing, watch this short video:
Sources: BusinessWise, CBROnline, Lexology
Additional Reading: Vishing – CyberHoot Term