The US government has been forced to issue an alert warning home workers of an aggressive new vishing campaign targeting corporate accounts.
The joint advisory came from the FBI and Cybersecurity and Infrastructure Security Agency (CISA) at the end of last week.
It claimed that the attackers first registered domains, obtained SSL certificates and created legitimate-seeming phishing pages mimicking firms’ VPN log-in pages.
They then “compiled dossiers” on potential targets at certain companies by scraping publicly available info from social media profiles, recruitment tools and other sites, including their phone numbers.
Next came the vishing part of the scam, in which a smooth-talking fraudster socially engineers their victim into believing they are calling from the IT help desk, or other legitimate body. VoIP numbers were also spoofed to appear as if calls were originating from co-workers.
“The actors then convinced the targeted employee that a new VPN link would be sent and required their login, including any 2FA or OTP. The actor logged the information provided by the employee and used it in real-time to gain access to corporate tools using the employee’s account,” the alert explained.
“In some cases, unsuspecting employees approved the 2FA or OTP prompt, either accidentally or believing it was the result of the earlier access granted to the help desk impersonator. In other cases, attackers have used a SIM-Swap attack on the employees to bypass 2FA and OTP authentication.”
According to CISA/FBI, the attackers used their resulting access to employee accounts to carry out further research on victims and fraudulently obtain funds using a variety of methods.
Although the attacks aren’t new per se, they illustrate the willingness of cyber-criminals to push beyond typical targets for these scams, which are in the ISP/telco space.
“The COVID-19 pandemic has resulted in a mass shift to working from home, resulting in increased use of corporate VPN and elimination of in-person verification, which can partially explain the success of this campaign,” said CISA/FBI.