Threat Alert: Surge of Vishing Attacks
The Federal Bureau of Investigation (FBI) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently issued a joint alert, warning organizations of the surge of vishing attacks.
What Is Vishing?
Vishing is a type of phishing attack that leverages the phone, in particular, Voice Over Internet Protocol (VoIP), as a means of attack. The commonly known phishing attack weaponized the emails.
In an email-based phishing attack, an attacker sends targets emails that masquerade as coming from legitimate sources. Phishing emails contain malicious attachments or links or both. Clicking on either the malicious attachment or link infects the computer used by the email receiver with malicious software (malware) leading to the stealing of sensitive data.
The adoption of VoIP in the early 2000s as an internet phone that saves money on long-distance and international telephone charges attracted cybercriminals, hopping along with this adoption through vishing. Through the years, vishing came in different formats, often fitting into the popular technology of the time.
The early form of vishing comes in the form of a typical email. Instead of directing the email receiver or the victim to click on either the attachment or link, the victim is asked to provide information over the phone. The phone number provided to the target is, in fact, a VoIP account and is controlled by the attacker. In calling the said number, the victim is led through a series of voice-prompted menus that ask for sensitive information such as account numbers and passwords.
Another early version of vishing comes in a phone call, instead of an email. This phone call comes from a VoIP account as well. The call is initiated by a live person or a recorded message, directing the victim to take action in order to protect an online account.
In recent years, vishing came to light again through SIM swap attacks. In a SIM swap attack, an attacker convinces the customer service employee of a telecommunication company to switch the phone number of a victim over to a SIM card that the attacker controls. With the wide adoption of mobile phones, these phones have been used for 2-factor authentication (2FA), that is, in addition to the single-factor authentication composed of username and password, another layer of authentication is added in the form of a one-time password (OTP) sent to the user’s phone number.
By changing the phone number via SIM swap attack, the attacker gets the OTP, instead of the legitimate user, which could allow the attacker access to the victim’s account, crucial in case the attackers have already gotten hold of the victim’s username and password combination.
Vishing is a targeted form of phishing attack. Targeted phishing attack is referred to as spear-phishing attack. In vishing attacks, attackers already have some personal information about their targets. The revelation of this on-hand personal information gives victims a false sense of security.
Vishing attackers often use VoIP due to the following reasons:
- It’s relatively inexpensive, especially for long-distance calls.
- It’s web-based, which makes it easy for cybercriminals to create fake automated customer service lines.
- Cybercriminals can mask their true phone numbers, fooling caller ID.
- In some cases, cybercriminals use hacked VoIP numbers belonging to legitimate subscribers and use this as a cover to hide their true identity.
Most Recent Vishing Campaigns
According to the FBI and CISA, in mid-July 2020, cybercriminals have started a vishing campaign, gaining access to employee tools at multiple companies. Armed with employees’ credentials, the FBI and CISA said attackers gained access to these companies’ databases and harvested customers’ personal information to leverage in other attacks.
The FBI and CISA said these most recent vishing campaigns follow these steps:
First, an attacker registers domains and webpages imitating the target company’s internal VPN login page for the purpose of capturing one-time passwords (OTP). To make it look that the domains are legitimate, Secure Sockets Layer (SSL) certificates are obtained for the said domains.
Second, an attacker gathers comprehensive personal information about the target employee, including full name, home address, personal cell/phone number, position at company, and duration at company.
Third, using VoIP and using social engineering techniques, such as posing as a member of the target company’s IT help desk, an attacker calls a target employee through the employee’s personal mobile phone and convinces the employee that a new VPN link would be sent and requires login, including the OTP. In convincing the employee, the attacker gains the trust of the target employee through the revelation of the gathered personally identifiable information of the target employee, including name, position, duration at company, and home address.
According to the FBI and CISA, once the target employee login to the purported new VPN link, the credentials entered by the target employee are then used in real-time to gain access to the target company’s corporate tools. In some cases, employees accidentally approve the OTP prompt believing that it was the result of the earlier access granted to the help desk. In other cases, attackers have used a SIM-Swap attack to bypass the OTP or 2FA authentication.
The FBI and CISA said that access to the target company’s corporate tools allows the attackers to conduct further research on victims to “fraudulently obtain funds using varying methods dependent on the platform being accessed”.
“The COVID-19 pandemic has resulted in a mass shift to working from home, resulting in increased use of corporate VPN and elimination of in-person verification, which can partially explain the success of this campaign,” the FBI and CISA said.
The joint alert issued by the FBI and CISA didn’t mention the specific companies that fell victim to vishing attacks. Last July, Twitter attributed the cyberattack on its corporate systems to “phone spear phishing attack”. Vishing, incidentally, is also referred to as phone spear phishing attack.
The cyberattack on Twitter last July 15th allowed the attackers to compromise multiple high-profile verified Twitter accounts of personalities, including that of Bill Gates, Elon Musk and Jeff Bezos. These compromised verified accounts were made part of a cryptocurrency scam in which readers were asked to send bitcoin to a particular address with the promise that twice the amount of bitcoin would be returned.
Mitigations Against Vishing Attacks
Below are some of the FBI and CISA recommendations in mitigating the effects of vishing attacks:
- Restrict VPN connections to managed devices only, using mechanisms like hardware checks or installed certificates, so user input alone is not enough to access the corporate VPN.
- Restrict VPN access hours, where applicable, to mitigate access outside of allowed times.
- Employ domain monitoring to track the creation of, or changes to, corporate, brand-name domains.
- Actively scan and monitor web applications for unauthorized access, modification, and anomalous activities.
- Employ the principle of least privilege and implement software restriction policies or other
- controls; monitor authorized user accesses and usage.
- Consider using a formalized authentication process for employee-to-employee communications made over the public telephone network where a second factor is used to authenticate the phone call before sensitive information can be discussed.
- Improve 2FA and OTP messaging to reduce confusion about employee authentication attempts.
As you can see, vishing attacks pose a real threat to your business. It’s no longer a matter of “if” it’s a matter of “when”. Our skilled team will review your current infrastructure and will address the issues to mitigate the likelihood of a successful vishing attack within days, and on budget.
Call us now at (416) 920-3000 to schedule a consultation, or email email@example.com