August 21, 2020

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) on Thursday issued a joint alert to warn about the growing threat from voice phishing or “vishing” attacks targeting companies. The advisory came less than 24 hours after KrebsOnSecurity published an in-depth look at a crime group offering a service that people can hire to steal VPN credentials and other sensitive data from employees working remotely during the Coronavirus pandemic.

“The COVID-19 pandemic has resulted in a mass shift to working from home, resulting in increased use of corporate virtual private networks (VPNs) and elimination of in-person verification,” the alert reads. “In mid-July 2020, cybercriminals started a vishing campaign—gaining access to employee tools at multiple companies with indiscriminate targeting — with the end goal of monetizing the access.”

As noted in Wednesday’s story, the agencies said the phishing sites set up by the attackers tend to include hyphens, the target company’s name, and certain words — such as “support,” “ticket,” and “employee.” The perpetrators focus on social engineering new hires at the targeted company, and impersonate staff at the target company’s IT helpdesk.

The joint FBI/CISA alert (PDF) says the vishing gang also compiles dossiers on employees at the specific companies using mass scraping of public profiles on social media platforms, recruiter and marketing tools, publicly available background check services, and open-source research. From the alert:

“Actors first began using unattributed Voice over Internet Protocol (VoIP) numbers to call targeted employees on their personal cellphones, and later began incorporating spoofed numbers of other offices and employees in the victim company. The actors used social engineering techniques and, in some cases, posed as members of the victim company’s IT help desk, using their knowledge of the employee’s personally identifiable information—including name, position, duration at company, and home address—to gain the trust of the targeted employee.”

“The actors then convinced the targeted employee that a new VPN link would be sent and required their login, including any 2FA [2-factor authentication] or OTP [one-time passwords]. The actor logged the information provided by the employee and used it in real-time to gain access to corporate tools using the employee’s account.”

The alert notes that in some cases the unsuspecting employees approved the 2FA or OTP prompt, either accidentally or believing it was the result of the earlier access granted to the help desk impersonator. In other cases, the attackers were able to intercept the one-time codes by targeting the employee with SIM swapping, which involves social engineering people at mobile phone companies into giving them control of the target’s phone number.

The agencies said crooks use the vished VPN credentials to mine the victim company databases for their customers’ personal information to leverage in other attacks.

“The actors then used the employee access to conduct further research on victims, and/or to fraudulently obtain funds using varying methods dependent on the platform being accessed,” the alert reads. “The monetizing method varied depending on the company but was highly aggressive with a tight timeline between the initial breach and the disruptive cashout scheme.”

The advisory includes a number of suggestions that companies can implement to help mitigate the threat from these vishing attacks, including:

• Restrict VPN connections to managed devices only, using mechanisms like hardware checks or installed certificates, so user input alone is not enough to access the corporate VPN.

• Restrict VPN access hours, where applicable, to mitigate access outside of allowed times.

• Employ domain monitoring to track the creation of, or changes to, corporate, brand-name domains.

• Actively scan and monitor web applications for unauthorized access, modification, and anomalous activities.

• Employ the principle of least privilege and implement software restriction policies or other controls; monitor authorized user accesses and usage.

• Consider using a formalized authentication process for employee-to-employee communications made over the public telephone network where a second factor is used to
authenticate the phone call before sensitive information can be discussed.

• Improve 2FA and OTP messaging to reduce confusion about employee authentication attempts.

• Verify web links do not have misspellings or contain the wrong domain.

• Bookmark the correct corporate VPN URL and do not visit alternative URLs on the sole basis of an inbound phone call.

• Be suspicious of unsolicited phone calls, visits, or email messages from unknown individuals claiming to be from a legitimate organization. Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information. If possible, try to verify the caller’s identity directly with the company.

• If you receive a vishing call, document the phone number of the caller as well as the domain that the actor tried to send you to and relay this information to law enforcement.

• Limit the amount of personal information you post on social networking sites. The internet is a public resource; only post information you are comfortable with anyone seeing.

• Evaluate your settings: sites may change their options periodically, so review your security and privacy settings regularly to make sure that your choices are still appropriate.


20 thoughts on “FBI, CISA Echo Warnings on ‘Vishing’ Threat

  1. Steve

    I think the FBI and CISA just read your web site to get their info!

  2. The Sunshine State

    I would include in the list using a good hardware firewall appliance , that detects intrusion, instead of using just Windows firewall alone on the work at home computer.

  3. Scarlett

    Nothing really surprises me anymore. Anyone who REALLY

  4. Aaron

    The link for the joint FBI/CISA alert (PDF) is invalid. It resolves to a file not found at coronavirus.health.ny.gov.

    1. BrianKrebs Post author

      They took the document down. Something about not supposed to have published it. Anyway, the link has been updated.

        1. Sarah

          “The internet is a public resource; only post information you are comfortable with anyone seeing.”

        2. Pookie

          Perhaps they shouldn’t have lifted their warning from Krebs’ story and then labeled it TLP:Amber.

  5. JohnIL

    People who work from home have little structure required to secure their technology as they do at work. Much like the question of mass mailing ballots for voting. No structure there to verify and validate who is filling them out and controlling the chain of handing them. The pandemic has created this open season on the potential for many security issues.

    1. Himbeerkuchen

      Just like with ballot credibility, corporate accounts’ security should not depend on security implemented by the individual, but by the managing authority.
      Sure, a reckless individual can log into their corporate account and then hand the computer to their neighbor. But in general the onus is on their employer to secure the computing infrastructure end-to-end.
      …and by the way – most developed countries do not “mass mail” ballots. They are sent in individual letters to a legally registered domicile, and include a legal certificate that the voter must sign and send back for the ballot to become valid. Sure, there are obviously lots of these letters, but that does not make them “mass mail”.

    2. Bob

      Excellent work shoehorning in unsubstantiated propaganda.

  6. John

    well Krebs, it looks like you should have correctly labeled your Wednesday article TLP:AMBER so the FBI wouldn’t issue a public advisory based on the info

    :p

  7. JCitizen

    I NEVER publish any phone number on public websites; I don’t even let FaceBook have my number – I get pestered to give them out, but I just blow through and ignore their pleas.

  8. RICH LIFE

    VER publish any phone number on public websites; I don’t even let FaceBook have my number – I get pestered to give them out, but I just blow through and ig

  9. Jim

    Another good write-up on a everyone should know about subject.
    Oh, another article was on Google news about vpn’s, and security. Saying do not trust them. And why.
    Like the bullet points at the end of the article, but one should be expanded with the addition of is updates. My favorite is, ms, does change your security settings. It will turn off your firewall to update and not reset your firewall, if you run any antivirus other then me, it will turn it off, and change your preferences to theirs. Which is why I like assistance like God mode. The only thing, is, I wish there was a notepad addition to either me update, or godmode that showed you what settings were just changed by the program updates. But, when suggested in the user groups, it was laughed out. And after every update, it shows that settings needs a rework. And, reboot, after the reboot, investigate what has been added, and shut off, see if it meets your requirements.

    1. RUzerious

      You should not be relying on a software firewall running on your end-user system, pretty much period/ever.

      Windows firewall perhaps the very least of all.

  10. globaltel

    I agree with this. Nowadays the internet is very dangerous and limiting your posts on social media is a big help for us to hide our activities and stuffs.

  11. illumina23

    “Vishing” is it now?

    Sure sounds to me like just another application of Mitnick’s old playbook. I don’t know why they thought a new name was needed.

Comments are closed.