Hackers Gained Access to Corporate VPNs and Tools Using Social Engineering and Vishing
The Federal Bureau of Investigation (FBI) and Cybersecurity and the Department of Homeland Security (DHS) Infrastructure Security Agency (CISA) issued an advisory about an ongoing voice phishing (vishing) campaign. The goal of the attack is to gain access to an employer’s internal tools with the ultimate goal of stealing money. The vishing attacks began in mid-July.
Using social engineering and a vishing campaign, the attackers were able to gain access to corporate virtual private networks (VPN) and online resources using the employee’s credentials.
“The COVID-19 pandemic has resulted in a mass shift to working from home, resulting in increased use of corporate VPN and elimination of in-person verification, which can partially explain the success of this campaign,” says the FBI and CISA joint alert.
The attackers called the employees leveraging personal details about the employee collected through social engineering. The incoming phone number spoofed that of support staff. Sometimes the caller impersonated the employee’s IT support staff. During the call, the attackers told the employees that they would be sent a new link to their corporate virtual private network (VPN). They were instructed to verify the link using their employer granted credentials.
Fooled by the attackers, employees clicked on the link granting the hackers access to the employer’s corporate VPN.
Some employees responded to and approved a two-factor authentication (2FA) verification message.
“In other cases, attackers have used a SIM-Swap attack2 on the employees to bypass 2FA and OTP authentication,” says the alert.
They stole login credentials to gain access to company databases. Depending on what they got access to, they stole money or data.
What is Vishing?
Vishing (voice + phishing) is a type of phishing campaign where the hacker uses robocalls text messages phone calls or chat to contact the victim. The vishing message appears to originate from a phone number the victim knows or a phone number that looks familiar to them. Like all phishing campaigns, the goal is to get the recipient to follow the instructions in the message. Often, the victim is instructed to click on a link in the message, visit a website, or reply to the message with sensitive information. The requested information is often a username, password, or credit card number.
The phone number in a voice phone call is easily spoofed with cheap hardware found online.
Employee profiles were constructed from a variety of online sources of information to make the attack more successful. The attackers collected data about employees from social media platforms, job sites, background check services, corporate websites, and other publicly available information sources.
In this cyberattack, the hackers gleaned publicly available information about employees and used it to target employees in vishing campaigns. Profiles included:
- Employee name
- Home address
- Personal phone number
- Position at company
- Length of employment
Spoofed Support Sites
The attackers purchased domain names to spoof the employees’ internal network sites. The fraudulent websites used SSL certificates so as not to cause a browser alert. The web pages were designed to spoof the employer’s VPN log-in pages.