CYBER CRIMINALS TAKE ADVANTAGE OF INCREASED TELEWORK THROUGH VISHING CAMPAIGN
SUMMARY
With so many organizations adopting work from home and enabling VPN access for employees, it’s no surprise that bad actors are taking advantage and launching advanced attacks. In this advisory, actors are observed using social engineering on employees by setting up fake/similar domains to organizations VPN portals and calling them to get them to enter credentials on the faked sites. Best practices to mitigate this are included in the advisory. These include two factor or one time passwords to ensure the user logging in is verified. The principle of least privilege is also cited as a mitigation so that when a user logs in, the surface area they can access is minimized.
Organizational Tips
- Restrict VPN connections to managed devices only, using mechanisms like hardware checks or installed certificates, so user input alone is not enough to access the corporate VPN.
- Restrict VPN access hours, where applicable, to mitigate access outside of allowed times.
- Employ domain monitoring to track the creation of, or changes to, corporate, brand-name domains.
- Actively scan and monitor web applications for unauthorized access, modification, and anomalous activities.
- Employ the principle of least privilege and implement software restriction policies or other controls; monitor authorized user accesses and usage.
- Consider using a formalized authentication process for employee-to-employee communications made over the public telephone network where a second factor is used to authenticate the phone call before sensitive information can be discussed.
- Improve 2FA and OTP messaging to reduce confusion about employee authentication attempts.
End-User Tips
- Verify web links do not have misspellings or contain the wrong domain.
- Bookmark the correct corporate VPN URL and do not visit alternative URLs on the sole basis of an inbound phone call.
- Be suspicious of unsolicited phone calls, visits, or email messages from unknown individuals claiming to be from a legitimate organization. Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information. If possible, try to verify the caller’s identity directly with the company.
- If you receive a vishing call, document the phone number of the calleras well as the domain that the actor tried to send you to and relay this information to law enforcement.
- Limit the amount of personal information you post on social networking sites. The internet is a public resource; only post information you are comfortable with anyone seeing.
- Evaluate your settings: sites may change their options periodically, so review your security and privacy settings regularly to make sure that your choices are still appropriate.
- For more information on how to stay safe on social networking sites and avoid social engineering and phishing attacks, visit the CISA Security Tips below.
o Avoiding Social Engineering and Phishing Attacks
https://us-cert.cisa.gov/ncas/tips/ST04-014
o Staying Safe on Social Networking Sites
https://us-cert.cisa.gov/ncas/tips/ST06-003
Posted Date: 08/20/2020
Published Date: 08/20/2020
Source: FBI & CISA
The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are issuing this advisory in response to a voice phishing (vishing)1 campaign. The COVID-19 pandemic has resulted in a mass shift to working from home, resulting in increased use of corporate virtual private networks (VPNs) and elimination of in-person verification. In mid-July 2020, cybercriminals started a vishing campaign—gaining access to employee tools at multiple companies with indiscriminate targeting—with the end goal of monetizing the access. Using vished credentials, cybercriminals mined the victim company databases for their customers’ personal information to leverage in other attacks. The monetizing method varied depending on the company but was highly aggressive with a tight timeline between the initial breach and the disruptive cash-out scheme.
