Cybersecurity Threat Advisory 0053-20: Major Vishing Campaign
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have recently issued a warning about the growing threat of “vishing” attacks against companies. Vishing (voice phishing) is a social engineering method that uses voice communication to entice a victim to divulge sensitive information through the initiation a phone call. SKOUT recommends following best practices in avoiding social engineering and phishing attacks, in general, and being especially vigilant and aware of the increased use of phone calls in perpetrating social engineering attacks.
Technical detail and additional information
What is the threat?
Due to the COVID-19 pandemic, there has been a mass shift of company personnel working from home and an increased use corporate virtual private networks (VPNs). An ongoing wave of vishing attacks has been targeting U.S. private sector companies and organizations, especially in the new work-from-home (WFH) demographic. The basic routine of the attack usually includes the criminals, posing as other persons, calling the potential victims in order to obtain personal and/or company information. Cybercriminals can use vished credentials to mine victim company databases for further sensitive company information to leverage in other attacks, with the end goal of monetizing the access.
Why is this noteworthy?
The vishing campaign follows a common thread wherein the bad actors register domains and create phishing pages attempting to duplicate a company’s intranet and VPN login pages, while using the targeted phone calls to lure the victims into entering sensitive information into the criminal’s data harvesting sites. Victims may easily be fooled through skillfully crafted schemes that include the psychological manipulation of social engineering coupled with phishing sites that have domain names that one may not initially question due to it appearing to be legitimate. In an effort to pull off a targeted attack of such, many cybercriminals will actually purchase an SSL certificate for their phishing site, which makes the site appear to be more trustworthy and less suspicious.
What is the exposure or risk?
While neither email phishing nor voice phishing are new types of social engineering attacks, the new paradigms imposed by the COVID-19 pandemic increase the potential risk due to the increased amount of potential exposure. The emergency situations faced by many companies in having to create a work-from-home workforce have left many much more vulnerable than they would prefer to be. Varying levels of user security awareness, technical proficiency, and overall company preparedness has broadened the field of targets in these ongoing social engineering attacks.
What are the recommendations?
SKOUT recommends providing security awareness training within your organization and following best practices to protect your company and its data against vishing and other social engineering attacks.
- Be suspicious of unsolicited phone calls, visits, or email messages from unknown individuals claiming to be from a legitimate organization. Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information. If possible, try to verify the caller’s identity directly with the company.
- Bookmark the correct corporate domains and websites, and do not visit alternative URLs on the sole basis of an inbound phone call.
- If you receive a vishing call, document the phone number of the caller as well as the domain that the actor tried to send you to and relay this information to management and the appropriate authorities, if warranted.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.