A sophisticated organized network of cybercriminals are now pivoting to conducting successful vishing attacks against employees across multiple companies; all this with a goal of stealing financial assets. So what’s ‘vishing?’ Photo: AgendaX
Voice phishing is a form of criminal phone fraud, using social engineering over traditional telephone systems to gain access to private personal and financial information for the purpose of financial reward. Vishing is a play on ‘voice’ and cyber ‘phishing.’ This type of fraud is actually and old tactic. Sometimes what is old, becomes new again.
These vishing criminals combine their extensive knowledge of security protocols (to include physical and cybersecurity) and traditional social engineering techniques. They used commercially accessible Virtual Private Network (VPN), VoIP communication platforms, and throw-away/fake emails (i.e: temp-mail) while accessing a companies’ network systems to inhibit corporate security and/or law enforcement detection. The criminals identify company employees through popular social networking sites. Then they used publicly available and traditional online background check companies to obtain an employee’s personally identifiable information (pii) to craft verbal calls and leave voice messages. The hackers will spoof or develop fake website, like real VPN or remote-access portals (using a similar naming convention as the real company and domain name (possibly typo-squatting the name) to obtain the employee’s login information. While in a company’s network, criminals can directly communicate with employees and laterally move and search for information (to include the company’s structure and employee roster) to multiply their now inside network access privileges, as well as used the gained information in further social engineering activities.
These criminals are now capitalizing on the COVID-19 pandemic, work-from-home (WTH) connectivity, and VPN issues. Additionally, and once inside the network, the criminals specifically identify and target employees who had recently submitted IT-support tickets within that company. In some cases, the criminals compromised the company’s customer accounts data to conduct further financial related crimes, to include gaining access to additional customers’ accounts.
The bad actors can then monetize a victim’s network access in several ways including, but not limited to, sale of accounts and/or access and payment scams.
Understanding of techniques and tactics criminal hackers used to access a companies’ network:
- Verbally convince employees to share their one-time passwords (OTP) directly, or urge victims to enter OTP into their fake login site, including OTPs to authenticate hardware;
- Tricky actors are experts at social engineering and target company employees into sharing system requirements to bypass security, and successfully connect to the company network infrastructure.
- Callers will often impersonate corporate security and/or IT support team members to obtain the security verification questions and answers;
- At times, they will impersonate fellow employees to verify the identity with the real security and IT support team for network access;
- These criminal groups often create virtual machines (VMs) to mimic devices with the necessary configuration (e.g.: operating systems, anti-virus software, etc.) to bypass security, and access the company network; Then they will try and convince the security and/or IT support team to image their VMs and provide the security certificate required to access the company’s network; and/or,
- They may, in the case of small to medium businesses, steal the security certificates from the targeted company’s service providers, a third-party, and/or an employee’s system they previously compromised.
Some Cyber Security Best Practices and Tips:[1]
- Improve two-factor authentication (2FA) and OTP messaging to reduce confusion about employee authentication attempts and reduce or eliminate the reliance on OTPs for 2FA and utilize physical hardware tokens for access.
- Restrict VPN connections to managed devices only, using mechanisms like hardware checks or installed certificates, so user input alone is not enough to access the corporate VPN.
- Restrict VPN access hours, where applicable, to mitigate access outside of allowed times.
- Employ domain monitoring to track the creation of, or changes to, corporate, brand-name domains.
- Actively scan and monitor web applications for unauthorized access, modification, and anomalous activities.
- Employ the principle of least privilege and implement software restriction policies or other controls; monitor authorized user accesses and usage.
- Consider using a formalized authentication process for employee-to-employee communications made over the public telephone network where a second factor is used to authenticate the phone call before sensitive information can be discussed. End-User Tips
- Verify web links do not have misspellings or contain the wrong domain.
- Bookmark the correct corporate VPN website or URL and do not visit alternative URLs on the sole basis of an inbound phone call.
- Be suspicious of unsolicited phone calls, visits, or email messages from unknown individuals claiming to be from a legitimate organization. Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person's authority to have the information. If possible, try to verify the caller’s identity directly with the company.
- If you receive a vishing call, document the phone number of the caller as well as the domain that the actor tried to send you to and relay this information to law enforcement.
- Limit the amount of personal information you post on social networking sites. The Internet is a public resource; only post information you are comfortable with anyone seeing.
- Evaluate your settings: sites may change their options periodically, so review your security and privacy settings regularly to make sure that your choices are still appropriate.
Red Sky Alliance has been tracking cyber criminals for years. Throughout our research we have learned through our clients that the installation, updating and monitoring of firewalls, employing cyber security practices and providing proper employee training are keys to success, yet unfortunately at times - not enough. Our current CTAC and RedXray tools provide a valuable look into the underground, where malware and like all the different variants of malware are bought and sold. This includes forum conversations of Vishing techniques. Our information can help support current protections with proactive underground indicators of compromise. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis for your organization.
Red Sky Alliance has been has analyzing and documenting cyber threats and vulnerabilities for over 9 years and maintains a resource library of malware and cyber actor reports. Malware comes and goes, but often is dusted off and reappears in current campaigns.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
https://attendee.gotowebinar.com/register/8782169210544615949
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
[1] https://nakedsecurity.sophos.com/2020/12/08/vishing-criminals-let-rip-with-two-scams-at-once/
Comments