“The COVID-19 pandemic has resulted in a mass shift to working from home, resulting in increased use of corporate VPN and elimination of in-person verification, which can partially explain the success of this campaign. Prior to the pandemic, similar campaigns exclusively targeted telecommunications providers and internet service providers with these attacks but the focus has recently broadened to more indiscriminate targeting.”
The advisory was published shortly after Krebs on Security reported that a group of cybercriminals has been marketing a vishing service that uses custom phishing sites and social engineering techniques to steal VPN credentials from employees. While the agencies didn’t confirm the report, they said that cybercriminals started a vishing campaign in mid-July 2020. They also described a scheme similar to what Krebs reported: bad actors registered domains using target companies’ names and then duplicated their internal VPN login pages. The criminals used VoIP numbers at first but later started using spoofed numbers of victims’ workmates and other offices within their company.
According to Krebs, the infiltrators tend to target new employees and to pose as new IT personnel themselves — they even create fake LinkedIn pages to gain the victims’ trust. In order to be as believable as possible, they compile dossiers on a target company’s employees, containing information gathered from public profiles, marketing tools and publicly available background checks. After the cybercriminals successfully convince a victim that they’re from their company’s IT team, they’d send them a fake VPN link requiring their log in.
Unsuspecting employees would then approve two-factor prompts on their phones (or input OTP verification numbers) thinking that they got it because they gave the fake IT personnel access to their account. In some cases, though, they don’t even need the victim for two-factor authentication — not when they’ve already done a SIM swap on their numbers and can intercept verification codes. SIM swapping is another social engineering technique that involves impersonating a target to fool a carrier’s employees into giving them control of the victim’s number.
Once they’re in a company’s network, they mine it for customers’ and employees’ personal information to leverage in other attacks. And yes, they monetize their attacks using various methods. The agencies said the method used depends on the company, but it’s typically “highly aggressive with a tight timeline between the initial breach and the disruptive cashout scheme.”
The FBI and CISA didn’t name any of the victims, but it’s worth noting that Twitter’s Bitcoin hackers used a similar technique. If you’ll recall, hijackers took over a number of high-profile accounts, including those owned by Elon Musk and Barack Obama, back in July. They posted similar tweets across accounts asking people for bitcoin and promising to give them back double the amount in a bizarre attempt to defraud people. Twitter later explained that one of its employees fell victim to a “social engineering attack,” giving infiltrators access to its system. (A Motherboard report, however, said an employee may have been bribed into helping the hackers.)
To prevent vishing attacks, the agencies are advising companies to restrict VPN connections to managed devices only, to employ domain monitoring and even to “consider using a formalized authentication process for employee-to-employee communications made over the public telephone network.” As for end users, it’s advising them to be more vigilant in checking URLs, to be more suspicious of unsolicited phone calls and to limit the amount of personal information they post on social networking sites.