FBI Warns of Increase in Vishing AttacksHackers Attempt to Collect VPN Credentials
The FBI is warning that hackers are increasingly using voice phishing, or vishing, to target remote workers as a way of harvesting VPN and other credentials to gain initial access to corporate networks.
Over the last year, the FBI says, hackers have targeted employees at U.S. and international corporations that use VoIP services through vishing techniques and other types of social engineering attacks.
"After gaining access to the network, many cybercriminals found they had greater network access, including the ability to escalate privileges of the compromised employees’ accounts, thus allowing them to gain further access into the network often causing significant financial damage," the FBI notes in an alert.
In another warning issued in August 2020, the FBI and the U.S. Cybersecurity and Infrastructure Security Agency warned that hackers were using vishing techniques to target remote and at-home employees (see: Alert: Vishing Attacks Are Surging).
Examples of Techniques
The latest FBI alert describes several incidents in which hackers successfully used social engineering techniques to target employees.
In one case, hackers targeted U.S. and international employees of an organization and used vishing techniques to collect VPN credentials.
"During the phone calls, employees were tricked into logging into a phishing webpage in order to capture the employee’s username and password," according to the FBI, which did not name the organization targeted.
In another case, hackers befriended an employee at an unidentified organization through the company’s chat room and persuaded them to log into a fake VPN page that they controlled.
"The actors used these credentials to log into the company’s VPN and performed reconnaissance to locate someone with higher privileges," according to the alert. "The cybercriminals were looking for employees who could perform username and e-mail changes and found an employee through a cloud-based payroll service. The cybercriminals used a chatroom messaging service to contact and phish this employee’s login credentials."
Oliver Tavakoli, CTO at security firm Vectra, says the increase in vishing attacks is not surprising considering so many employees now work from home, using devices that may lack security protections.
"Phishing voice calls - vishing - are the flavor of the day that fits right into a broader theme of attacks which leverage the fact that employees are working in unfamiliar surroundings and don't have as clear an expectation of what is and is not legitimate right now," Tavakoli says. "While companies should always strive to reduce the success rate of such inbound attacks, it will be near impossible to stop them all, and all of these attempts should be considered to be no more than a filter."
Security experts note that organizations can help prevent vishing attacks by training employees on how to spot them.
"Nowadays, it's incredibly important to train employees on how to spot these phishing attempts, especially as they do more work on mobile devices," says Chris Hazelton, a director at security firm Lookout. "This should include emphasizing that users should only visit known and trusted websites, instead of clicking unknown links no matter their source."
To mitigate risks, the FBI alert also advises organizations to deploy multifactor authentication and review whether the level of access employees have to certain internal systems and networks is appropriate.