The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

FBI, CISA Warn About Vishing Campaign Targeting Teleworkers

by Chris Brook on Monday August 24, 2020

Contact Us
Free Demo
Chat

In the wake of news that attackers have been carrying out a successful voice phishing campaign against companies for a month, government orgs offered tips on how employees working from home can mitigate future attacks.

The U.S. government is doubling down on recent warnings published last week around an alarming increase in voice phishing, or vishing, attacks, taking aim at companies.

Both the Federal Bureau of Investigation and the Cybersecurity & Infrastructure Security Agency warned last week of an ongoing campaign, that takes advantage of much of the country's workforce being remote.

The joint advisory says the campaign's successfulness can be traced to "a mass shift to working from home, resulting in increased use of corporate virtual private networks (VPNs) and elimination of in-person verification.”

In the advisory, the government organizations claim that since mid-July, cybercriminals have been using phony voice messages purporting to come from a higher authority, in hopes of getting access to employee tools, eventually monetizing the access.

"Using vished credentials, cybercriminals mined the victim company databases for their customers' personal information to leverage in other attacks,” the advisory reads.

The warning came a few days after cybersecurity writers Brian Krebs, via his KrebsonSecurity blog, and Andy Greenberg, via a story in Wired, warned about an uptick in phone spearphishing attacks.

Krebs' story looked at one group that uses phone calls and custom phishing sites to steal company VPN credentials; Wired's story looked at the hacks through the lens of July's Twitter hack, in which attackers commandeered accounts belonging to CEOs, politicians, and celebrities.

Common threads of the attack involve fake but legitimate looking versions of company VPN login pages. According to the FBI, attackers also used Secure Sockets Layer (SSL) certificates for domains they registered to make them appear real.

The domains mimic the following naming schemes:

  • support-[company]
  • ticket-[company]
  • employee-[company]
  • [company]-support
  • [company]-okta

After performing reconnaissance on targets - gathering names, addresses, positions, and how long they've been at a company, the attackers used VoIP numbers to dial them directly. Using a combination of social engineering tactics - disguising themselves as a member of the company's IT team, using some of their personal data - the attackers convinced victims they'd be sending along a new VPN link, along with a two factor authentication passcode or one time password.

If employees approved the prompt or responded with a 2FA code, that's all the attackers needed to access the company's network in order to steal data and gain a foothold for future attacks.

While it likely requires a higher level of difficulty from the attacker, other attacks have utilized a SIM swapping - an attack in which someone contacts your wireless carrier and convinces them they are you, via previously leaked data - to sidestep 2FA and one time password authentication, the FBI and CISA claim.

To prevent attacks like this the groups are encouraging organizations to tighten up VPN security by restricting connections to managed devices only, cutting back access hours, to scan and monitor web apps for access, modification, and activities which fall outside of the norm, and to streamline 2FA and one time password messaging to ensure employees are on the same page.

Tags: Government, Phishing

Recommended Resources


  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives
  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.