The FBI and CISA have issued formal warnings about a new mutation of phishing that relies on dedicated cybercrime groups who work via voice-over-IP (VoIP) calls to employees deemed to be vulnerable. Dubbed “vishing,” the new trend is thought to be responsible for the successful breaches of Twitter and several other high-profile targets in recent months. The attack hinges on the increased amount of remote work being done and the common use of VPNs as an organizational security measure for those logging into company networks from home.
How vishing works
The cybersecurity advisory from the two American agencies describes a standard process by which most of the vishing attacks have been unfolding.
Attackers first identify a target company and register lookalike domain names, populating them with phishing pages that lead to a replication of the company’s legitimate internal VPN login page. This page is designed to capture redundant security measures such as two-factor authentication (2FA) or one-time passwords (OTP) in addition to the target’s basic login credentials.
The vishing crews then begin combing employee profiles for likely targets; they look for employees who appear to be relatively new to the company but are in positions that are likely to give them some sort of privileged access. The attackers use a broad range of public resources to identify potential victims: profiles on social networking sites, public company websites, recruiter tools, background check services and more. They also sometimes create phony LinkedIn profiles to enhance the scam, as the service allows anyone to claim that they work for any company without any kind of verification.
The targets are contacted via VoIP calls, sometimes on their personal phones. The vishing crews pose as fellow employees, often a member of the IT help desk, and use the research they’ve done on the target employee to inspire trust. They then make up some sort of technical issue and tell the employee that they are sending over a new VPN link for them to log into; this of course is the phishing page designed to capture the user credentials. In some cases the attackers go so far as to use “SIM swap” attacks to gain access to the employee’s phone and intercept 2FA or OTP codes.
Vishing service providers
KrebsOnSecurity is reporting that specialized criminal services, usually contracted through the dark web, are the current driving force behind the vishing phenomenon. The groups take on “bounty” requests that are posted to underground forums, usually for access to enterprise-scale organizations.
In addition to registering the phishing domains in countries that allow lookalikes, the attackers use a relative handful of registrars that allow anonymous Bitcoin payments. They also only enable the domains hosting the VPN phishing pages immediately before an attack; some organizations are now actively scanning for the registration of lookalike domains, but many of these registrars will not respond to complaints about a domain that is not active at the time it is filed.
The vishing crews are ultimately looking to gain access to internal company tools. The highest-profile example of this type of attack thus far was the recent breach of Twitter, in which a number of celebrity accounts were taken over and began tweeting out a Bitcoin scam. That particular attack raised questions about how much access to user accounts Twitter employees and contractors have, with Twitter indicating that security standards may have been loosened somewhat due to many employees working from home during the Covid-19 pandemic.
Security researchers interviewed by Krebs believe that the vishing crews have been honing their techniques for several years now, going into open business on the dark web when the pandemic made conditions favorable.
Wired is reporting that the vishing calls appear to be from young people who speak English, but there are no other details as to the identity of the culprits.
Vishing mitigation tips
The FBI provided a number of helpful tips for both organizations and end users looking to prepare themselves for the vishing threat.
For organizations, the most generally useful advice is to implement a 2FA method that cannot be captured or spoofed; for example, a local key or the restriction of VPN access to managed devices only. Krebs points out that Google has had remote-working employees use a physical USB key that requires a manual button press for authentication as the 2FA standard for access to corporate networks since 2017, and says that no employees have been phished for their work login credentials since then.
For the end user, treat any unsolicited calls that ask for a user login with heightened scrutiny. Be vigilant for small discrepancies in URLs and always use a direct bookmark to the known safe VPN login page. The FBI also suggests this as a good opportunity to review shared personal information on various social media accounts and limit things that are unnecessary.
Erich Kron, security awareness advocate at KnowBe4, notes that basic education and awareness is the first (and least costly) line of defense against vishing attacks targeting employees: “To protect against (vishing), organizations need to ensure they educate employees about these types of scams and follow the proper protocols and procedures when they do require support from within the organization. The IT department will never ask employees for their password as part of a training exercise.” And KnowBe4’s data-driven defense evangelist Roger Grimes adds: “Our customers are seeing an increase in phishing attacks above and beyond traditional email channels, like SMS, vishing, and social media. And since the technical defenses aren’t there yet, the best way to fight them, just like in the email world, is good user training. For example, if your end users don’t know that Microsoft would never call them and say that their computer is infected by malware and offer to remove it for a fee, they are far more likely to fall for that type of scam. User awareness is the key. Users need to be made aware of the types of phishing attacks that are occurring in the real world.”