A joint advisory by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) said that the officials have noticed an uptick in voice phishing—also known as vishing—campaigns after the pandemic forced companies to implement work-from-home arrangements.
In the advisory, the FBI and CISA explained how the companies can protect themselves from such phishing campaigns. It said that the Coronavirus pandemic has resulted in a mass shift to working from home, resulting in increased use of corporate VPN and elimination of in-person verification that can explain the success of this campaign.
"Prior to the pandemic, similar campaigns exclusively targeted telecommunications providers and internet service providers with these attacks but the focus has recently broadened to more indiscriminate targeting," the advisory added.
The joint advisory came after Krebs on Security reported that a group of cyber threat actors has been marketing a voice phishing service that uses custom phishing sites as well as social engineering techniques to steal VPN credentials from targeted company employees.
Even though the FBI and CISA did not confirm the report, they said cybercriminals started a vishing campaign in July 2020 and described a scheme similar to what the report claimed, threat actors registered domains using target firms' names and then duplicated their internal VPN login pages. At first, the operators of this vishing service used VoIP numbers but later infiltrators changed the strategy and started using spoofed numbers of victims' colleagues and other offices within their company.
As per the report, cybercriminals tend to target new employees and then they pretend to be new IT personnel. The infiltrators also create fake LinkedIn pages to gain the trust of the victim. After gaining success to convince a victim that they are from the company's IT team, the cybercriminals would send them a fake VPN link requiring a login. The employees would then approve two-factor prompts on their phones.
After gaining access to the company's network the threat actors mine it for employees' and customers' personal information to use in other attacks. They also monetize the attacks using several ways. FBI and CISA didn't name any of the victims, but they advised companies to restrict VPN connections to managed devices only, employ domain monitoring, and considering the usage of a formalized authentication process for the employee-to-employee communications made with the help of telephone network.