Hand dialling on telephone keyboard showing 100,000 inboxes of remote workers fallen victim to voicemail phishing attacks

Voicemail Phishing Attacks Threatens 100,000 Inboxes, Leaving Remote Workers Particularly Vulnerable

A large number of remote workers in particular have fallen victim to a new brand of cyberattack involving voicemail in recent weeks, according to findings from earlier this month made by email security firm IronScales. The new threat, which comes in the form of voicemail phishing attacks, stands as the most recent attempt by cybercriminals to ride the wave of new targets brought about by large number of employees relying on digital communication platforms like Zoom, Microsoft Teams, Slack, and Private Branch Exchange (PBX) in the wake of COVID-19.

The new voicemail phishing attacks specifically target companies with remote workers which are making use of private branch eXchange (PBX). This legacy telephone technology designed for business communication, appears to have proven ideal for cybercriminals in delivering their sinister form of phishing attack by successfully bypassing secure email gateways.

According to IronScales, the voicemail phishing attacks pretend to be standard voicemail notifications from PBX integrations and feature custom subject lines in order to sneak past superficial legitimacy tests. Because PBX is integrated with a target company’s email client to begin with; the cybercriminals’ jobs are made significantly easier as a result.

In total, according to IronScales, voicemail phishing attacks of this kind, also known as “vishing”, have so far threatened almost 100,000 inboxes across the globe belonging to hundreds of companies across all industries, including real estate, oil & gas, engineering, IT, healthcare, financial services and more.

Why are voicemail phishing attacks so successful?

The new voicemail phishing attacks plaguing companies with remote workers—while relatively simple to prevent—are nevertheless wily with regards to their methods.

In order to initiate their attack in a more believable manner, for example, cybercriminals are known to take a number of steps to fool secure email gateways, most notably by customizing the subject line of the email.

Seeing that the attacks are launched with no malicious payload attached—something which would likely undermined the criminal’s secrecy—the emails have proven successful in gaining access to tens of thousands of inboxes across the globe, and are likely to be particularly effective with respect to remote workers based at home. IronScales notes that, in particular, the attacks have proven very capable of outwitting the Domain-based Message Authentication (DMARC) authentication protocol.

“This type of sophistication partially explains why these email attacks are bypassing secure email gateways and the DMARC authentication protocol, as neither are designed to detect or respond to spoofed emails without a malicious payload,” explained Ian Baxter, director of engineering at IronScales.

According to the security firm, this is being done with the intention of trying to coerce remote workers into presenting sensitive information—such as Microsoft Office credentials—in order to access the newly-arrived voicemail. “The attackers are looking to get the recipient to open the malicious attachment to drive to a fake landing page for credential harvesting. The recipient has to enter their O365 login credentials to access the voicemail recording,” IronScales explained to SC Media.

Baxter went on to point out that, in many cases, the voicemail phishing attacks made use of “very targeted” subject lines which included such details as a specific company’s or person’s name.

“It may seem odd for attackers to create phishing websites spoofing PBX integrations as most voicemails are quite benign in the information shared,” Baxter explains in the post. “However, attackers know that the credentials could be used for multiple other logins, including for websites with valuable PII or business information. In addition, any sensitive information that is left in the voicemail could potentially be used for a social engineering attack.”

Advise for companies—with or without remote workers

According to IronScales, any company which automatically sends voicemails to workers inboxes, with or without remote workers, remain at considerable risk of falling victim to voicemail phishing attacks of the kind they recently uncovered. While remote workers do indeed only expound the underlying risks even further, any company relying on legacy systems such as PBX should be cautious, according to IronScales.

The first step, the email security firm advises, is to make employees aware that such a threat is out there in the first place. “Make it top of mind for them so that they can catch such abnormalities,” recommended Baxter.

Following this, the right technology would be able to provide a sufficient shield against the threats posed to in-house and remote workers alike by the recent surge in voicemail phishing attacks.

According to Baxter, software such as a computer vision-based scanner would be able to amply detect the background of potentially fraudulent emails—automatically marking them as phishing attacks if and where necessary.