By: David Geller, CPCU, SCLA
As a substantial number of people continue to work from home due to the COVID-19 outbreak, the cyber risk landscape has evolved. Check out some of our posts relating to cyber exposures on our COVID-19 Featured Page here.
The latest development pertains to a type of attack that has grown in popularity in this working-remote heavy environment: Vishing.
What is Vishing, And Why Has It Been Happening More?
According to a Joint Cybersecurity Advisory issued by the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA), “[v]ishing is a form of criminal phone fraud, using social engineering over the telephone system to gain access to private personal and financial information for the purpose of financial reward." The Advisory describes some dynamics of vishing campaigns as follows:
“Actors [the alleged cyber attackers] registered domains and created phishing pages duplicating a company's internal VPN login page, also capturing two-factor authentication (2FA) or one-time passwords (OTP). Actors also obtained Secure Sockets Layer (SSL) certificates for the domains they registered and used a variety of domain naming schemes…
Actors first began using unattributed Voice over Internet Protocol (VoIP) numbers to call targeted employees on their personal cellphones, and later began incorporating spoofed numbers of other offices and employees in the victim company. The actors used social engineering techniques and, in some cases, posed as members of the victim company’s IT help desk, using their knowledge of the employee's personally identifiable information—including name, position, duration at company, and home address—to gain the trust of the targeted employee. The actors then convinced the targeted employee that a new VPN link would be sent and required their login, including any 2FA or OTP. The actor logged the information provided by the employee and used it in real-time to gain access to corporate tools using the employee’s account.”
The Advisory provides additional details of how the cyber criminals execute this campaign, such as through the use of a SIM-Swap Attack, an activity we detailed in our post here.
The 3-page Advisory mentions that cybercriminals began launching vishing campaigns in mid-July and have been using these attacks to gain access to employee tools at multiple companies. Once these tools were breached, cybercriminals reportedly have “mined the victim company databases for their customers’ personal information to leverage in other attacks.”
The Advisory notes that, prior to the pandemic, telecommunications providers and internet service providers were exclusively the target of these attacks, but now the types of companies targeted has broadened. Furthermore, due in part to the increased use of virtual private networks (VPN’s), as well as the elimination of in-person verification, these campaigns have become more likely to succeed.