The FBI and Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) are getting serious about voice phishing, also known as vishing, a new threat to illegally obtain money.
Vishing is similar to email phishing except that criminals get sensitive personal and financial information using the phone. The goal, of course, is money.
In mid-July 2020, cybercriminals started a vishing campaign at multiple companies, the FBI and CISA said in a recent advisory.
“Typically with these types of scams, a criminal will direct victims to a fraudulent page that mirrors a legitimate login portal,” Daniel Smith, head of security research at Radware, told Fox News.
“The criminal, often impersonating a company or service, then asks the person on the phone to enter their login information and passwords on the fraudulent website, effectively collecting a victim’s information,” Smith added.
The FBI and CISA offer tips and how to report incidents on the advisory page.
The COVID-19 pandemic is driving this. “[The pandemic] has resulted in a mass shift to working from home, resulting in increased use of corporate virtual private networks (VPNs) and elimination of in-person verification,” the advisory said.
This is how vishing was set up in the cases described by the FBI and CISA:
- The criminals registered websites and created fake phishing pages that duplicated a company’s internal Virtual Private Network (VPN) login page.
- They would get two-factor authentication (2FA) or one-time passwords (OTP) confirmed, in some cases, by unsuspecting employees.
- The criminals crafted internet address naming schemes where, for example, the address appeared to be from an employee or support personnel from the company.
- They harvested public profiles of employees in order to compile dossiers on the employees. This was done by “mass scraping” of public profiles on “social media platforms, recruiter and marketing tools, publicly available background check services, and open-source research,” the advisory said. This allowed the criminals to collect names, home addresses, personal phone numbers and company positions.
- The criminals used spoofed numbers of other offices and employees in the victim company to target unsuspecting employees.
In one type of scheme, the criminals posed as members of the victim company’s IT help desk, the advisory added. They would gain the trust of the targeted employee by using the employee’s personal information – such as name, position and home address.
“The actors then convinced the targeted employee that a new VPN link would be sent and required their login, including any 2FA or OTP,” the advisory explained. “The actor logged the information provided by the employee and used it in real-time to gain access to corporate tools using the employee’s account. In some cases, unsuspecting employees approved the 2FA or OTP prompt, either accidentally or believing it was the result of the earlier access granted to the help desk impersonator.”
Cybersecurity experts say vishing is effective because the bad guys often do extensive research of employees before calling.
“They may know employees’ names and titles from LinkedIn, and even have some understanding of how your organization is structured (who your boss is),” Lisa Plaggemier, chief strategy officer at Seattle-based MediaPro, told Fox News. “They may know what technology and tools you use from social posts or your own company’s marketing or even job postings.”