According to the FBI, cybercriminals have launched vishing attacks targeting employees working from home for U.S. companies. The attackers collected login credentials for corporate networks, which they then monetized by selling the access to corporate resources to other criminal gangs.

What is a Vishing attack?

Vishing is the social engineering approach that leverages voice communication. This technique can be combined with other forms of social engineering that entice a victim to call a certain number and divulge sensitive information or login to a fraudulent website designed to look like the Company’s website.

Anatomy of an Attack 

Step 1:  Register fraudulent domain names 

Cybercrime groups start by first registering domains that looked like company resources, and then created and hosted phishing sites on these domains.  The domains usually had a structure like:

support-[company name]

ticket-[company name]

[company name]-okta

The phishing pages were made to look like a targeted company’s internal VPN login page, and the sites were also capable of capturing two-factor authentication (2FA) or one-time passwords (OTP).

Step 2:  Research company employees on social media

Criminal groups then compiled dossiers on the employees working for the companies they wanted to target, usually by mass scraping of public profiles on social media platforms, recruiter and marketing tools, publicly available background check services, and open-source research.

Step 3:  Call company employees using spoofed company numbers

The attackers than called the targeted employees and, in some cases, posed as members of the victim company’s IT help desk.  Using the knowledge they gained from researching social media sites they gained the employee’s confidence.

The actors then convinced the targeted employee that a new VPN link would be sent and required their login, including any 2FA or OTP.  When the victim accessed the link, for the phishing site hackers had created, the cybercriminals logged the credentials, and used the harvested credentials in real-time to gain access to the corporate account, even bypassing 2FA/OTP limits with the help of the employee.

Don’t get Vished or Phished!  Tips to follow:

  1. Verify web links do not have misspellings or contain the wrong domain.
  2. Bookmark the correct corporate VPN URL and do not visit alternative URLs on the sole basis of an inbound phone call.

 

  1. Be suspicious of unsolicited phone calls, visits, or email messages from unknown individuals claiming to be from a legitimate organization. Do not provide personal information or information about your organization.
  2. Limit the amount of personal information you post on social networking sites.

Remember, it only takes one compromised account to cause a breach.  We must be diligent always in our online activity.