The Cybersecurity and Infrastructure Security Agency ( CISA ) and the Federal Bureau of Investigation (FBI) have issued an alert to warn of a voice phishing (vishing) campaign targeting the employees of multiple organizations.
As part of the attacks, which started in mid-July, adversaries were attempting to gain access to employee tools via phishing phone calls. Once they were in the possession of credentials, the attackers would access the databases of victim companies to harvest information on their customers and conduct further attacks.
“The monetizing method varied depending on the company but was highly aggressive with a tight timeline between the initial breach and the disruptive cash-out scheme,” the two agencies reveal.
In preparation of the attacks, the adversaries registered bogus domains and created fake pages mimicking the internal login pages for virtual private networks (VPNs) at the targeted companies. These pages were also meant to bypass multi-factor authentication methods by capturing two-factor authentication (2FA) codes or one-time passwords (OTP).
To ensure they were successful, the attackers used Secure Sockets Layer (SSL) certificates for the bogus domains, along with various domain naming schemes, to trick victims into believing they were accessing support, ticket, or employee websites within their organizations.
According to the two agencies, the attackers used social media, recruiter and marketing tools, open-source research, and publicly available background check services to harvest information on employees at the targeted organizations, including their names, addresses, and phone numbers, along with information on their position and duration at the company.
Using unattributed Voice over Internet Protocol (VoIP) numbers and spoofing the phone numbers of offices and employees within the victim company, the attackers then started calling the employees, attempting to trick them into revealing their VPN login information by accessing a new VPN link.
“The actors used social engineering techniques and, in some cases, posed as members of the victim company’s IT help desk, using their knowledge of the employee’s personally identifiable information—including name, position, duration at company, and home address—to gain the trust of the targeted employee,” the alert reads.
Once the employees revealed their login information, the adversaries used it in real-time to access corporate tools. In some cases, the employees approved the 2FA or OTP prompts, while in others SIM-swap attacks were used to bypass the additional authentication factor.
Leveraging the fraudulently obtained access, the attackers gathered additional information on victims, or attempted to steal funds using various methods.
The campaign was successful mainly because of the mass shift toward working from home during the COVID-19 pandemic, which led to an increase in the use of corporate VPN. Similar campaigns observed prior to the pandemic exclusively targeted telecommunications and Internet service providers.
To stay protected, organizations are advised to restrict VPN connections to managed devices only, restrict VPN access hours, monitor applications for unauthorized access, use domain monitoring to identify phishing domains, improve 2FA and OTP messaging, and educate employees on vishing and other phishing techniques.