Share this article on:
The COVID-19 pandemic has forced many companies to change working practices and allow large numbers of employees to work remotely from home. In healthcare, employees have been allowed to work remotely and provide telehealth services to patients. While this move is important for virus control and to ensure patients still have access to the medical services they need, remote working introduces cybersecurity risks and cybercriminals are taking advantage. There has been a significant rise in cyberattacks targeting remote workers over the past three months.
A variety of tactics are being used to trick remote workers into installing malware or divulging credentials, now a new method has been uncovered by cybersecurity firm IRONSCALES.
In a recent report, IRONSCALES revealed threat actors are spoofing messages automatically generated by Private Branch Exchange (PBX) systems to steal credentials. PBX is a legacy phone system used by many enterprises to automate the handling of calls. One of the features of these systems is the ability to record voicemail messages and send recordings directly to users’ inboxes. These systems have been hugely beneficial during the COVID-19 pandemic, as they ensure that employees never miss important voicemail messages while working remotely. They have also given cybercriminals another way of conducting an attack.
In this campaign, the attackers spoof messages from the PBX system and inform an employee that they have a new voicemail message. The emails are personalized and include the user’s name or company name to make it appear that the messages are genuine. Subject lines in the messages are also carefully crafted to spoof the messages sent by real PBX systems.
To hear the messages, users are directed to a website that spoofs PBX integrations with the aim of stealing credentails. “It may seem odd for attackers to create phishing websites spoofing PBX integrations as most voicemails are quite benign in the information shared. However, attackers know that the credentials could be used for multiple other logins, including for websites with valuable PII or business information,” explained IRONSCALES. “In addition, any sensitive information that is left in the voicemail could potentially be used for a social engineering attack.”
IRONSCALES detected this voice phishing (vishing) campaign in mid-May. According to the report, the campaign is being conducted globally and at least 100,000 mailboxes have been targeted.
“If your organization automatically sends voicemails to workers inboxes, then your company is at risk of falling victim to this scam. As we know, if an email looks real then someone will fall for it,” explained IRONSCALES.
IRONSCALES suggests raising awareness of this scam with remote workers and implementing an email security system capable of detecting and blocking email security threats such as this, which have so far been effective at bypassing DMARC anti-spoofing measures.