FBI and CISA Issue Joint Warning About Vishing Campaign Targeting Teleworkers

An ongoing voice phishing (vishing) campaign is being conducted targeting remote workers from multiple industry sectors. The threat actors impersonate a trusted entity and use social engineering techniques get targets to disclose their corporate Virtual Private Network (VPN) credentials.

The Federal Bureau of Investigation (FBI) and the DHS Cybersecurity and infrastructure Security Agency (CISA) have issued a joint advisory about the campaign, which has been running since mid-July.

The COVID-19 pandemic forced many employers to allow their entire workforce to work from home and connect to the corporate network using VPNs. If those credentials are obtained by cybercriminals, they can be used to access the corporate network.

The threat group first purchases and registers domains that are used to host phishing pages that spoof the targeted company’s internal VPN login page and SSL certificates are obtained for the domains to make them appear authentic. Several naming schemes are used for the domains to make them appear legitimate, such as [company]-support, support-[company], and employee-[company].

The threat group then gathers information about company employees by scraping social media profiles and compiles dossiers on specific employees. The types of information collected include personal information such as an employee’s name, address, personal phone number, job title, and length of time at the company. That information is then used to gain the trust of the targeted employee.

Employees are then called from a voice-over-IP (VOIP) number. Initially the VOIP number was anonymous, but later in the campaign the attackers started spoofing the number to make it appear that the call was coming from a company office or another employee in the firm. Employees are then told they will receive a link that they need to click to login to a new VPN system. They are also told that they will need to respond to any 2-factor authentication and one-time password communications sent to their phone.

The attackers capture the login information as it is entered into their fraudulent website and use it to login to the correct VPN page of the company. They then capture and use the 2FA code or one-time password when the employee responds to the SMS message.

The attackers have also used SIM-swap to bypass the 2FA/OTP step, using information gathered about the employee to convince their mobile telephone provider to port their phone number to the attacker’s SIM. This ensures any 2FA code is sent directly to the attacker. The threat actors use the credentials to access the company network to steal sensitive data to use in other attacks. The FBI/CISA say the end goal is to monetize the VPN access.

The FBI/CISA recommend organizations restrict VPN connections to managed devices using mechanisms such as hardware checks or installed certificates, to restrict the hours that VPNs can be used to access the corporate network, to use domain monitoring tools to monitor web applications for unauthorized access and anomalous activities.

A formal authentication procedure should also be introduced for employee-to-employee communications over the public telephone network where a second factor is required to authenticate the phone call prior to the disclosure of any sensitive information.

Organizations should also monitor authorized user access and usage to identify anomalous activities and employees should be notified about the scam and instructed to report any suspicious calls to their security team.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.