Using VoIP calls, the attackers trick people into logging into phishing sites as a way to steal their usernames and passwords.
The FBI is cautioning companies to beware of a slew of voice phishing attacks aimed at capturing the login credentials of employees.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
In an advisory released last Thursday, the FBI revealed that as of December 2019, cybercriminals have been working together on social engineering campaigns targeting employees at large firms both in the US and abroad. The criminals are taking advantage of VoIP platforms to launch voice phishing, or vishing, attacks.
In a vishing attack, scammers use a voice call to trick their victims into signing into a malicious website to obtain their account credentials.
In the specific attacks referenced by the FBI, the criminals speak with company employees on a VoIP call and persuade them to sign into a phishing page to steal their usernames and passwords. After capturing these credentials, the attackers manage to gain access to the corporate network where they can easily cause further damage.
In one case, criminals used a chatroom message service to access a company's chatroom. There, they discovered an employee whom they convinced to sign into a fake VPN page. The attackers then used the stolen credentials to log into the company's actual VPN to locate employees with greater privileges. The goal was to find people who could change the usernames and email information for others in the company through a cloud-based payroll service, the FBI said.
Schemes like this are always a threat. But with the coronavirus lockdown, many organizations are even more vulnerable. Last August, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) warned about a vishing scheme in which criminals posing as other people called employees working from home to try to obtain their account credentials.
With so many remote employees, a company may not have the proper restrictions on network access and privileges. Keeping track of who has access to which data and resources has become a more challenging and difficult task. And that's exactly the kind of scenario that cybercriminals love to exploit.
"With so many employees working from home, threat actors are increasingly turning to vishing campaigns to gain a foothold for privilege escalation," Abnormal Security strategist Roman Tobe told TechRepublic.
"Companies and their employees are under the constant threat of malicious actors who are developing more and more ways to get them to disclose credentials," Tobe said. "Whether it's an expertly-crafted email or a convincing voice message, it's essential that employees approach any incoming request for information with a critical eye in order to confirm it's coming from a trusted source. If there is any question as to the validity, employees should immediately flag it to their security team."
Impersonating a member of your company's IT team is an especially popular and brazen way to obtain employee credentials, according to Hank Schless, senior manager, Security Solutions at Lookout.
"Posing as part of the IT team puts attackers into a role with greater authority and credibility than traditional phishing," Schless told TechRepublic. "Remote work increases the likelihood of success for the attacker because the target employee can't walk down the hall to validate the communication with another member of the team."
To protect your organization and employees from these types of phishing and vishing scams, the FBI offers the following tips:
- Implement multifactor authentication (MFA) to access the accounts of employees to minimize the chances of an initial compromise.
- Grant network access on a least privilege scale for all new employees. Further, periodically review network access for all employees to reduce the risk of compromise of vulnerable and weak spots on the network.
- Actively scan and monitor for unauthorized access or modifications of key resources. This can help detect a possible compromise as a way to prevent or minimize the loss of data.
- Divide your network into segments. Breaking up a large network into multiple smaller networks helps administrators better control the flow of network traffic.
- Give administrators two separate accounts. One account should have admin privileges so they can make system changes. The other account can be used for email, deploying updates, and generating reports.
Training employees and securing devices are also two key strategies, according to Schless.
"The first line of defense against phishing attacks is your employees," Schless said. "Nowadays, it's incredibly important to train employees on how to spot these phishing attempts, especially as they do more work on mobile devices. In addition to training employees, securing any device that has access to your network is paramount to preventing issues like this. Without protecting those devices with modern endpoint protection, there will be a significant gap in your overall security posture."
Lisa Plaggemier, chief strategy officer at cybersecurity provider MediaPro, strongly urges people to report any such attacks.
"Always report any social engineering attack, including vishing, to your organization's security team," Plaggemier told TechRepublic. "They will report it to federal law enforcement. If you think you just took a call from a visher and possibly gave information you shouldn't have, don't be ashamed. Remember that you are the victim. Never stay silent."
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- How to defend your organization against social engineering attacks (TechRepublic)
- How an IBM social engineer hacked two CBS reporters--and then revealed the tricks behind her phishing and spoofing attacks (free PDF) (TechRepublic)
- Shadow IT policy (TechRepublic Premium)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)