As if 2020 hadn't been enough hardship and headache for employers, the FBI and the US Cybersecurity Infrastructure Security Agency ("CISA") recently issued a joint Cybersecurity Advisory Alert to warn employers of the rise in voice phishing or " Vishing scam warns targeted remote workers.
With the mass shift to large work-from-home environments, cyber criminals and hacking groups are increasingly using creative tactics to exploit weakened security protocols and trust employees. Before the pandemic and the sudden surge in the workforce in the distance, vishing scams were not uncommon. However, they were mostly directed against vulnerable persons and / or through personal attacks, e.g. For example, a phone call looking for bank or credit card information on a “compromised” account, calls to the “IRS” to verify someone's Social Security number, or targeted Medicare and Social Security scams.
Since July 2020, vishing scams have evolved into coordinated and sophisticated campaigns aimed at obtaining a company's confidential, proprietary, and trade secret information through the company's virtual private network ("VPN") using the company's own employees. VPNs are widely used in the current teleworking environment and are intended to be a secure platform for remote workers to log into their company's network from home. Many companies use VPNs because they not only provide a secure remote connection, but also allow the company to monitor employee activity on the network and allegedly detect security breaches.
However, it is difficult to detect a security breach when it comes from your employees' own keystrokes. According to the FBI and CISA, these vishing scams follow a common approach. At the beginning, the cybercrime group identifies a corporate goal and examines the workforce in detail. The attackers create “dossiers” on victims of employees based on a “scratch” on their virtual social media presence. From the various social media profiles of a person, the attackers can determine the name, location, workplace, position, duration of the company and sometimes even the home address of the employee.
Next, the cybercrime group or hackers register a domain and create phishing web pages that duplicate a company's internal VPN login page. These phishing websites can also capture two-factor authentication or one-time passwords and reflect the company's own security protocols.
An attacker then contacts an employee via his personal mobile phone and poses as an internal IT expert or help desk employee with security concerns. The “Visher” wins the employee's trust by using the information gathered about this employee during the research phase and convincing the employee that he has to log into a new VPN connection in order to address a security problem or other IT requirement remedy.
The attacker sends the unsuspecting employee a link to the fake VPN page, which looks exactly like the company's own VPN login page. The employee enters their username and password in the domain and clicks the login link. If applicable, the employee also performs two-factor authentication or the one-time password request. With a single click of the VPN link, the attacker has access to the employee's entire suite of credentials. Attackers use this access to retrieve the company's databases, records and files and obtain information that they can use for ransom money or even in other cyberattacks against the company. As a result, the company's confidential, proprietary, and trade secret information is available, resulting in significant ransom charges, forensic fees and costs, notification obligations for employees and customers, and potentially significant liability for security breaches.
With teleworking for the foreseeable future, employers need to think carefully about their security protocols and take steps to prevent employees from inadvertently falling into a vishing (or other phishing) trap. The Agencies Advisory provides organizations with “tips” on how to protect themselves from these complex attacks, including:
- Restrict VPN connections to only managed devices using mechanisms such as hardware checks or installed certificates so that user input alone is not enough to access the corporate VPN
- If necessary, restriction of VPN access times in order to reduce access outside the permitted times
- Use domain monitoring to track the creation or change of branded corporate domains
- Active scanning and monitoring of web applications for unauthorized access, changes, and abnormal activity
- Apply the principle of least privilege and implement policies to restrict software or other controls; Monitoring of authorized user access and usage
- Potential to provide a formalized authentication process for employee-to-employee communication over the public switched telephone network, using a second factor to authenticate the phone call before any confidential information can be discussed
Depending on the organization, not all tips of the advisory are feasible. However, all companies should heed the warning from the agencies and continue to critically review security protocols, VPNs, and network access to protect their confidential, proprietary, and trade secret information.
Regardless, organizations should continue to engage and train employees on proper network usage, security concerns, and when to call a secure IT number. Cyber criminals will continue to exploit remote workers. Organizations should regularly remind employees to be suspicious of requests for their logins and credentials (or other personal information), and remind employees where to go and who to contact if they have security concerns.