The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint security advisory that cybercriminals started a vishing campaign specifically targeting employees working from home for US companies in July of 2020. The attackers have been collecting login credentials for corporate networks and then selling the access to corporate resources to other criminal gangs.

According to the two agencies, cybercrime groups began by registering domains that were identical to company resources(known as typo squating), and then they created and hosted phishing sites on those domains. The phishing pages were made to look like the company’s internal VPN login page. These sites are capable of capturing two-factor authentication (2FA) or one-time passwords (OTP), if required. The attackers then compiled the employee’s names, home addresses, phone numbers, titles, and duration at the company and used it to attack the companies.

“The actors used social engineering techniques and, in some cases, posed as members of the victim company’s IT help desk, using their knowledge of the employee’s personally identifiable information” the joint alert reads.

The following guidelines have been distributed by the FBI and Cisa experts to help companies and their employees protect themselves from further cyber-attacks.

  • Restrict VPN connections to managed devices only, using mechanisms like hardware checks or installed certificates, so user input alone is not enough to access the corporate VPN.
  • Restrict VPN access hours, where applicable, to mitigate access outside of allowed times.
  • Employ domain monitoring to track the creation of, or changes to, corporate, brand-name domains.
  • Actively scan and monitor web applications for unauthorized access, modification, and anomalous activities.
  • Employ the principle of least privilege and implement software restriction policies or other controls; monitor authorized user accesses and usage.
  • Consider using a formalized authentication process for employee-to-employee communications made over the public telephone network where a second factor is used to authenticate the phone call before sensitive information can be discussed.
  • Improve 2FA and OTP messaging to reduce confusion about employee authentication attempts.

End-User Tips:

  • Verify web links do not have misspellings or contain the wrong domain.
  • Bookmark the correct corporate VPN URL and do not visit alternative URLs on the sole basis of an inbound phone call.
  • Be suspicious of unsolicited phone calls, visits, or email messages from unknown individuals claiming to be from a legitimate organization. Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information. If possible, try to verify the caller’s identity directly with the company.
  • If you receive a vishing call, document the phone number of the caller as well as the domain that the actor tried to send you to and relay this information to law enforcement.
  • Limit the amount of personal information you post on social networking sites. The internet is a public resource; only post information you are comfortable with anyone seeing.
  • Evaluate your settings: sites may change their options periodically, so review your security and privacy settings regularly to make sure that your choices are still appropriate.
  • For more information on how to stay safe on social networking sites and avoid social engineering and phishing attacks, visit: https://us-cert.cisa.gov/ncas/tips.