Phishing attacks and other online scams designed to steal employee credentials have increasingly become a common occurrence for those working from home during the pandemic.
However, one group of cybercriminals is taking their phishing attacks to the next level by using a voice phishing service which combines phone calls to potential targets with custom phishing sites in order to steal VPN credentials from remote workers.
As reported by Krebs On Security, the cybercriminals behind this new campaign have a remarkably high success rate and operate through paid requests or “bounties” in which their dark web customers seek access to specific companies or accounts.
Over the past six months, the group has created custom phishing pages that target some of the largest companies in the world though their primary focus is on organizations in the financial, telecommunications and social media industries.
A vishing attack normally begins with the cybercriminals making a series of phone calls to employees working remotely at a targeted organization. The attackers say they’re calling from the organization’s IT department to try and help troubleshoot issues with the company’s VPN.
The end goal of the campaign is to convince a remote worker to divulge their credentials either over the phone or by inputting them manually at one of the attacker’s phishing websites designed to mimic the legitimate website of their organization. According to ZeroFox’s director of threat intelligence Zack Allen, the attackers often target new hires and even go so far as to create fake LinkedIn profiles to make their vishing attempts appear more legitimate.
Normally in one of these attacks, two cybercriminals work together with one speaking on the phone with a potential target while the other tries to log in to the target company’s VPN with any disclosed credentials. Even if the attackers are unsuccessful in their vishing attempts, they still gain valuable insights into an organization which they can then use during their next attack targeting another employee at the company.
Vishing has gotten so bad during the pandemic that the FBI and CISA recently issued a joint security advisory warning organizations and their remote workers about the potential threat.
In much the same way that you should never hand out your credentials over email, the same can be said when someone calls you over the phone asking for them. At the same time, it is highly unlikely that your organization’s IT department would call you on the phone to ask for credentials they likely already have.
- Also check out our complete list of the best VPN services