An industry alert warns of an increasingly sophisticated social engineering campaign since July that is targeting VPNs and teleworkers.
The FBI and Cybersecurity and Infrastructure Security Agency are warning private businesses about an ongoing "vishing" -- or voice phishing – campaign targeting employees who are working from home during the coronavirus pandemic.
According to the alert, the campaign has been ongoing since at least mid-July, with attackers registering domains to create spoofed websites that duplicate the internal VPN login page for victim companies. They then obtained SSL certificates and used URL add-ons to make it appear as if the requests were coming internally from IT support.
Similar to phishing, vishing involves social engineering and impersonation by an attacker, usually over the phone, in order to trick a victim into giving up their account credentials. In this case, the attackers used Voice over Internet Protocol numbers to call victims on their personal cellphones, and in some cases were even able to spoof legitimate numbers from other employees and offices. They then convinced their target that they needed to use a different login page for their VPN, including any necessary one-time passwords or two-factor authentication information.
After gaining an initial foothold, the attackers would access the corporate network to obtain more details about other victims to aide in new social engineering attacks. CISA and FBI officials believe the attacks have become more common in part due to the increased telework happening nationwide as a result of the Coronavirus pandemic.
"The COVID-19 pandemic has resulted in a mass shift to working from home, resulting in increased use of corporate VPN and elimination of in-person verification, which can partially explain the success of this campaign," the alert reads. "Prior to the pandemic, similar campaigns exclusively targeted telecommunications providers and internet service providers with these attacks but the focus has recently broadened to more indiscriminate targeting."
Recommended mitigation techniques include restricting VPN use to managed devices, restricting log in periods, and monitoring suspicious new domains that could be used to impersonate a company's internal help desk.
Virtual Private Networks have quickly become one of the primary fronts in the battle between cyber criminals and defenders, especially during the pandemic. CISA, the National Security Agency and others have routinely warned federal agencies and the broader public to patch their VPNs, harden existing security defenses and implement new multifactor authentication procedures as large portions of the country continue to log into corporate networks from their homes.