The FBI and Cybersecurity and the US Infrastructure Security Agency (CISA) issued an advisory regarding a voice phishing, or vishing, campaign directly targeting employees working from home.
The massive shift in the workforce from the office to homes because of the COVID-19 pandemic created an unexpected opportunity for cybercriminals. Many employees no longer meet in-person with their colleagues, which gives threat actors a new point of attack, tricking people into providing them access to specific tools.
According to the law enforcement agencies, the campaign far exceeded regular efforts, with criminals setting up fake VPN login pages and scraping the Internet for personal details on employees. The attackers also compromised two-factor authentication (2FA) or one-time passwords (OTP) solutions and even employed SIM-Swap techniques to bypass authentication. They even went so far as to obtain Secure Sockets Layer certificates for the domains they registered and used a variety of domain naming schemes.
“Actors first began using unattributed Voice over Internet Protocol (VoIP) numbers to call targeted employees on their personal cellphones, and later began incorporating spoofed numbers of other offices and employees in the victim company,” says the advisory.
“The actors used social engineering techniques and, in some cases, posed as members of the victim company’s IT help desk, using their knowledge of the employee’s personally identifiable information—including name, position, duration at company, and home address—to gain the trust of the targeted employee.”
Eventually, some people would open the fake link and enter their credentials, giving the criminals their credentials, which could be used to access internal tools and further compromise security.
The FBI and CISA offered multiple possible mitigations, including a few that can be applied immediately, like restrictions for VPN access hours, better 2FA and OTP messaging to reduce confusion, monitoring domains that use corporate branding and familiar names, and training employees to spot phishing and vishing attempts.