Bleeping Computer publicly reported details of a limited-distribution advisory from last week by the FBI and the Cybersecurity and Infrastructure Security Agency (CISA). The agencies released an advisory to companies across numerous industries about a voice phishing (sometimes called “vishing”) campaign targeting remote workers in the United States. Voice phishing is an attack that utilizes social engineering techniques on a phone call to gain access to restricted sites or information, typically by impersonating a trusted member of the victim’s organization. This particular campaign began in mid-July of 2020 when criminals began gaining access to employee tools at multiple companies around the United States. The attacker quickly began harvesting customer information to assist in other attacks. The attackers also began selling the stolen credentials very quickly after gaining access to company networks. The criminals behind this campaign went as far as to register phishing domains which were clones of the targeted companies’ VPN login pages and contained the ability to harvest two-factor authentication codes and one-time passwords. The attackers initially began their campaign using VoIP numbers before switching to spoofed numbers of other company employees and office lines to make their vishing calls. Prior to calling any employees, the attackers appear to have compiled profiles on their victims through data obtained through public profiles, social media, background check services, and recruiter and marketing tools.
The details contained in this article were originally published in a notice that was released with limited distribution under TLP-Amber restrictions. Binary Defense did not make the choice to release this information, but instead only covered the aspects of this advisory that BleepingComputer published. Unfortunately, when recipients of privately shared information provide it to reporters, it diminishes trust and reduces the likelihood that important information will be shared by law enforcement in the future. This campaign is a prime example of how the personal information shared online can be weaponized by attackers. Organizations can protect themselves from campaigns like this by restricting VPN connections to managed devices only so that user credentials alone are not enough to access corporate VPNs. Utilizing domain monitoring services, like those offered through the Binary Defense counterintelligence team, can provide an early warning of the registration of domains that could be used in phishing and vishing attacks. It is also valuable for organizations to employ a formal authentication process, such as challenge phrases, when communicating sensitive information over voice calls. More information on this topic can be found at: https://www.bleepingcomputer.com/news/security/us-govt-warns-remote-workers-of-ongoing-vishing-campaign/