The FBI and the U.S. Cybersecurity Infrastructure Security Agency (CISA) issued a Cybersecurity Advisory Alert warning to employers about a new threat targeting remote workers.
The latest attacks by corporate computer hackers were first mounted in mid-July and rely on a technique called voice phishing, or “vishing.”
“Cybercriminals started a vishing campaign – gaining access to employee tools at multiple companies with indiscriminate targeting – with the end goal of monetizing the access,” the agencies reported.
The cybercriminals identify a company target and exhaustively research its workforce, according to attorneys Kevin Cloutier and Mikela Sutrina of the law firm of Sheppard Mullin Richter & Hampton. The attackers compile dossiers on employee victims based on a “scrape” of their virtual social media presence that gathers personal information.
From an employee’s social media profiles, the attackers learn the employee’s name, location, place of work, position, duration at the company and sometimes even the employee’s home address.
Next, the hackers register a domain and create phishing webpages duplicating a company’s internal VPN login page. These phishing webpages also are capable of capturing two-factor authentication or one-time passwords by mirroring the company’s own security protocols.
Then an attacker contacts an employee on their personal cell phone. posing as an internal IT staffer or help desk employee with a security concern.
The “visher” gains the employee’s trust by leveraging the worker’s information compiled on in the research phase and convinces the employee that the scammer needs to login into a new VPN link in order to address a security issue or other IT need.
The attacker sends the unsuspecting employee a link to the fake VPN page, which looks just like the company’s own VPN login site. The employee inputs his or her username and password into the domain and clicks the login link. If applicable, the employee also completes the two-factor authentication or one-time password request.
“With a single click on the VPN link, the attacker has the employee’s entire suite of credentials,” Cloutier and Sutrina point out. This access is used to mine databases, records and files for information to use to insert ransomware into the system and mount other kinds of cyberattacks.
The FBI and CISA advise employers to:
- Restrict VPN connections to managed devices only, using mechanisms like hardware checks or installed certificates, so user input alone is not enough to access the corporate VPN.
- Restrict VPN access hours, where applicable, to limit access outside of customarily allowed times.
- Employ domain monitoring to track the creation of, or changes to, corporate brand-name domains.
- Actively scan and monitor Web applications to reveal unauthorized access, modification and anomalous activities.
- Employ the principle of “least privilege.” Implement software restriction policies or other controls and monitor authorized user accesses.
- Potentially deploy a formalized authentication process for employee-to-employee communications made over the public telephone network where a second factor is used to authenticate the phone call before sensitive information can be discussed.
“Depending on the organization, not all of the advisory’s tips are feasible,” the attorneys admit. “But all companies should heed the agencies’ warning and continue to critically assess security protocols, VPNs, and network access to protect their confidential, proprietary and trade secret information.”