A new advisory warning has been issued in response to an increase in voice phishing, otherwise known as vishing, as more people work from home.
The Federal Bureau of Investigation (FBI) and Cybersecurity and the Infrastructure Security Agency (CISA) issued a joint warning about the rise in vishing attacks as more people engage in telework during the pandemic.
“The COVID-19 pandemic has resulted in a mass shift to working from home, resulting in increased use of corporate virtual private networks (VPNs) and elimination of in-person verification. In mid-July 2020, cybercriminals started a vishing campaign—gaining access to employee tools at multiple companies with indiscriminate targeting—with the end goal of monetizing the access,” said the agencies.
Vishing is a social engineering technique used by fraudsters. The fraudster will fake a caller ID so they can appear to be calling from a local area code or even from a known organization. Even if a victim does not pick up, the fraudster will leave a voicemail message.
The aim of the vishing attacks can vary. The primary goals are to get credit card details, birthdates, account sign-ins, or sometimes to harvest phone numbers from the victim’s contacts.
The FBI and CISA stated that the vishing scandal that is currently on the rise involves cybercriminals mining the victim’s workplace’s database for personal information that could be used as leverage in other attacks.
According to the agencies, there are slight variations in the scheme depending on the company. However, overall, the tactics were highly aggressive and orchestrated on a tight timeline.
This form of cybercrime was most recently associated with a major breach on Twitter. In July of 2020, 130 Twitter accounts were compromised and used to promote a Bitcoin scam. Among the accounts compromised were Barack Obama, Joe Biden, Bill Gates, Jeff Bezos, Kanye West, and Kim Kardashian.
In response to the attack, Twitter released a blog post saying the attack “targeted a small number of employees through a phone spear phishing attack. A successful attack required the attackers to obtain access to both our internal network as well as specific employee credentials that granted them access to our internal support tools. Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes.”
According to Wired, three hackers associated with the scandal were arrested last month. However, that did not mitigate all concerns about criminals continuing to use the technique to gain access to personal information.
Twitter tried to reassure users through security measures that “significantly limited access to [its] internal tools and systems to ensure ongoing account security while [it completes its] investigation.”
Meanwhile, the FBI and CISA released a number of tips for mitigation for teleworkers. The tips include restricting VPN connections to managed devices only, restricting VPN access hours, and employing domain monitoring.