Share this article on:
Many data breaches start with a phishing email, but credential phishing can also occur via other communication channels such as instant messaging platforms or SMS messages. One often overlooked way for credentials to be obtained is phishing over the telephone. These phishing attacks, termed vishing, can give attackers the credentials they need to gain access to email accounts and cloud services and escalate privileges.
Recently, the Federal Bureau of Investigation (FBI) issued an alert after a spike in vishing incidents to steal credentials to corporate accounts, including credentials for network access and privilege escalation. The change to remote working in 2020 due to COVID-19 has made it harder for IT teams to monitor access to their networks and privilege escalation, which could allow these attacks to go undetected.
The FBI warned that it has observed a change in tactics by threat actors. Rather than only targeting credentials of individuals likely to have elevated privileges, cybercriminals are now trying to obtain all credentials. While the credentials of low-ranking employees may not give them the access to systems, networks, or data they seek, those credentials give them a foothold that can be used to get greater network access, including the ability to escalate privileges.
Threat actors are using VoIP platforms to target corporate employees over the telephone to obtain credentials. One way this is achieved is by convincing an employee to login to a phishing webpage that harvests credentials. For instance, a member of the IT team could be impersonated, and the employee told to visit a webpage to update their software or for security reasons.
In one of the recent attacks, cybercriminals identified an employee of the targeted company in its chatroom, then made contact and convinced the employee to login to a fake VPN page. They stole the employee’s credentials, logged in remotely to the VPN, and performed reconnaissance to find an employee with higher privileges. The aim was to find an employee with permissions to change usernames and email credentials. When an individual was identified, contact was made, and the scam was performed again using a chatroom messaging service to phish that employee’s credentials.
This is the second FBI warning to have been issued on vishing in the past year, and the tactic has been used in attacks since at least December 2019. To improve defenses against these attacks the FBI made the following recommendations:
- Implement multi-factor authentication for accessing employee accounts.
- Grant network access for new employees on a least privilege scale
- Regularly review network access for employees to identify weak spots.
- Scan and monitor for unauthorized network access and changes to permissions.
- Adopt network segmentation to control the flow of network traffic.
- Provide administrators with two accounts: One with admin privileges for system changes and the other for use deploying updates and for email and report generation.