• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Jobs
  • Career
    • Cyber Security Training
    • Work from Home
    • Cyber Security Analyst
    • Remote Work – Six Ways to Keep Your Data Safe When Working Remotely
  • Field Guide
  • Newsletter Signup
  • Deals
  • News
AskCyberSecurity.com

AskCyberSecurity.com

Cyber Security News & Information

  • Home
  • Data Privacy
    • Gamers
    • Government Cyber Security
      • Legislation
      • Standards
        • What are the risks of computer security?
        • Medical Cyber Security
    • Social Media
  • Security
    • Data Breaches
    • Scams
      • Identity theft
    • Malware
      • Ransomware
  • Software
    • Apps
    • Web Browsers
  • Glossary
    • Cyber Security Acronyms
  • About Ask Cyber Security
    • Authors
    • Contact Us
  • VPN
    • How Do I Know If My VPN is Working?
    • Best Free VPN iPhone
    • Why Use a VPN?
    • NordVPN vs IPVanish
    • Private Internet Access Download
    • Best VPN for Streaming
      • TikTok VPN
    • VPN Porn
    • Computer Security Software – What You Really Need
  • Tutorials
AskCyber Home » News » News » Feds Warn of Voice Phishing Attacks

Feds Warn of Voice Phishing Attacks

2020-08-25 by Michelle Dvorak

Vishing Campaign

Hackers Gained Access to Corporate VPNs and Tools Using Social Engineering and Vishing

The Federal Bureau of Investigation (FBI) and Cybersecurity and the Department of Homeland Security (DHS) Infrastructure Security Agency (CISA) issued an advisory about an ongoing voice phishing (vishing) campaign. The goal of the attack is to gain access to an employer’s internal tools with the ultimate goal of stealing money. The vishing attacks began in mid-July.

Using social engineering and a vishing campaign, the attackers were able to gain access to corporate virtual private networks (VPN) and online resources using the employee’s credentials.

“The COVID-19 pandemic has resulted in a mass shift to working from home, resulting in increased use of corporate VPN and elimination of in-person verification, which can partially explain the success of this campaign,” says the FBI and CISA joint alert.

Motley Fool (ad)

The attackers called the employees leveraging personal details about the employee collected through social engineering. The incoming phone number spoofed that of support staff. Sometimes the caller impersonated the employee’s IT support staff. During the call, the attackers told the employees that they would be sent a new link to their corporate virtual private network (VPN). They were instructed to verify the link using their employer granted credentials.

Fooled by the attackers, employees clicked on the link granting the hackers access to the employer’s corporate VPN.

Some employees responded to and approved a two-factor authentication (2FA) verification message.

“In other cases, attackers have used a SIM-Swap attack2 on the employees to bypass 2FA and OTP authentication,” says the alert.

They stole login credentials to gain access to company databases. Depending on what they got access to, they stole money or data.

What is Vishing?

Vishing (voice + phishing) is a type of phishing campaign where the hacker uses robocalls text messages phone calls or chat to contact the victim. The vishing message appears to originate from a phone number the victim knows or a phone number that looks familiar to them. Like all phishing campaigns, the goal is to get the recipient to follow the instructions in the message. Often, the victim is instructed to click on a link in the message, visit a website, or reply to the message with sensitive information. The requested information is often a username, password, or credit card number.

The phone number in a voice phone call is easily spoofed with cheap hardware found online.

Employee profiles were constructed from a variety of online sources of information to make the attack more successful. The attackers collected data about employees from social media platforms, job sites, background check services, corporate websites, and other publicly available information sources.

Employee Profiles

In this cyberattack, the hackers gleaned publicly available information about employees and used it to target employees in vishing campaigns. Profiles included:

  • Employee name
  • Home address
  • Personal phone number
  • Position at company
  • Length of employment

Spoofed Support Sites

The attackers purchased domain names to spoof the employees’ internal network sites. The fraudulent websites used SSL certificates so as not to cause a browser alert. The web pages were designed to spoof the employer’s VPN log-in pages.

  • support-[company]
  • ticket-[company]
  • employee-[company]
  • [company]-support
  • [company]-okta

Filed Under: News Tagged With: vishing

About Michelle Dvorak

Michelle writes about cyber security, data privacy focusing on social media privacy as well as how to protect your IoT devices. She has worked in internet technology for over 20 years and owns METRONY, LLC. Michelle earned a B.S. in Engineering from Rensselaer Polytechnic Institute. Michelle published a guide to Cyber Security for Business Travelers


LinkedInTwitterFacebook

Primary Sidebar

Subscribe to Our Free Newsletter

We Don't Share or Sell Your Info

Web Browsers

Where Are My Saved Passwords in Chrome?

Google Removes 70 Malicious Browser Add-ons from Chrome Web Store

Firefox 75 Reports Your Browser Settings to Mozilla

511 Tactical

WHAT TO SHOP NOW

Shop

Safeguard Your Money with a VPN

Beat the Stock Market! - Get Rule Breakers!

Malwarebytes Anti-Virus is On Sale!

Shop Kaspersky Anti-Virus

Cyber Security Field Guide

Computer Security While TravelingGet Our Cyber Security Field Guide - Available on Amazon!

Recent Posts

Fake eBay Notification Scam Steals Big Money

Principal Security Consultant – AWS

NJCCIC Announces Alice in Cyberspace 2021

Email Service Cuts Off Gun Rights Nonprofit

Security Engineer – Amazon

Categories

Cyber Security News

Fake eBay Notification Scam Steals Big Money

… [Read More...] about Fake eBay Notification Scam Steals Big Money

NJCCIC Announces Alice in Cyberspace 2021

… [Read More...] about NJCCIC Announces Alice in Cyberspace 2021

PayPal Phishing Scam Steals Accounts

… [Read More...] about PayPal Phishing Scam Steals Accounts

Gun Forum Booted by Domain Registrar

… [Read More...] about Gun Forum Booted by Domain Registrar

More Cyber Security News

Tags

amazon Android Apple bitcoin Career China chrome CISA credit card Cyber Attack Cyber security Data Breach data privacy DHS Equifax Facebook FBI Firefox FTC games GDPR Google Government hack hacker identity theft iPhone Iran IRS malware Microsoft North Korea PayPal phishing phishing email ransomware Russia scam smartphone TikTok tutorial VPN web browser WhatsApp WiFi

Government

FTC Releases Cyber Threat Video Playlist

Malware Found on US Government Funded Phones

UK NCA Reaches Out to Youth to Deter Cybercrimes

Texas DOT Hit by Ransomware Attack

More Posts from this Category

Footer

Menu

  • Home
  • About
  • Authors
  • News
  • Newsletter Signup
  • PRIVACY POLICY

Search

Why Use a VPN?

NordVPN vs IPVanish VPN Review

NAVIGATION

  • Data Breaches
  • Data Privacy
  • Gamers
  • Scams
  • Malware

MEMBER NJCCIC

New Jersey Cybersecurity & Communications Integration Cell

STAY CONNECTED

  • Facebook
  • Instagram
  • Pinterest
  • YouTube
  • Twitter
  • RSS

Copyright © 2021 · AskCyberSecurity.com · METRONY, LLC

Go to mobile version