The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have warned that the COVID-19 pandemic has led to an increase in voice phishing (or “vishing”) campaigns.
In a joint cybersecurity advisory, the agencies noted that the pandemic has resulted in a “mass shift to working from home.” This has spurred an uptick in the use of corporate virtual private networks (VPNs) for malicious purposes. In July, cybercriminals launched a vishing campaign with the intent of monetizing the access to improperly accessed employee tools.
“The monetizing method varied depending on the company but was highly aggressive with a tight timeline between the initial breach and the disruptive cashout scheme,” authorities said in the advisory.
“Prior to the pandemic, similar campaigns exclusively targeted telecommunications providers and internet service providers with these attacks, but the focus has recently broadened to more indiscriminate targeting,” the alert continued.
Highly effective attack
The advisory was published less than 24 hours after security researcher Brian Krebs of KrebsOnSecurity published research about a group of cybercriminals that has been marketing a vishing campaign that relies on custom phishing sites and social engineering techniques to steal VPN credentials from employees.
Citing interviews with several sources, Krebs said the bad actors have experienced “a remarkably high success rate.”
The attackers operate “primarily through paid requests or ‘bounties,’ where customers seeking access to specific companies or accounts can hire them to target employees working remotely at home,” the report said.
Krebs explained that a typical attempt begins with a series of phone calls to employees working remotely at a targeted organization.
“The phishers will explain that they’re calling from the employer’s IT department to help troubleshoot issues with the company’s virtual private networking (VPN) technology,” according to Krebs. “The goal is to convince the target either to divulge their credentials over the phone or to input them manually at a website set up by the attackers that mimics the organization’s corporate email or VPN portal.”
Preventing vishing attempts
FBI and CISA officials offered several tips on how people can protect themselves against vishing attempts.
Companies and organizations are advised to restrict VPN connections to managed devices only, to employ domain monitoring, and to “consider using a formalized authentication process for employee-to-employee communications made over the public telephone network.”
Others are advised to be suspicious of unsolicited phone calls or email messages from unknown individuals claiming to be from a legitimate organization. End users should also limit the amount of personal information they post on social networking platforms.
“If you receive a vishing call, document the phone number of the caller as well as the domain that the actor tried to send you to and relay this information to law enforcement,” the advisory said.