Spearphishing meets vishing: New multi-step attack targets corporate VPNs
How cybercriminals adapt
Cybercriminals come out of the woodwork to take advantage of major events. Anything from the Olympics to the US elections is an opportunity to launch phishing campaigns on unsuspecting victims. And COVID-19 is no exception.
Bad actors have adapted their tactics to leverage the situation, especially the knowledge that in the “new normal,” a much higher number of people are working remotely and many organizations’ IT teams are stretched thin. So it’s not surprising that all sorts of new schemes have popped up — from phishing emails impersonating public health agencies to malicious websites with fake coronavirus tracking maps.
One of the latest adaptations is a spearphishing attack and vishing attack rolled into one. Aimed at stealing corporate virtual private network (VPN) user credentials, this multi-step attack reportedly has shown a high success rate. And while the targets initially appeared to be large corporations primarily in the social media, telecommunication and financial industries, all organizations should be on alert and educate their employees about this scheme.
Two year's worth of NIST-aligned training
Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.
How the new phishing/vishing attack works
As originally reported by cybersecurity journalist Brian Krebs, a “brazen group of crooks” took spearphishing to new heights, combining it with a vishing attack with the goal of stealing employees’ VPN credentials. According to Krebs, “this hybrid phishing gang has a remarkably high success rate, and operates primarily through paid requests or ‘bounties,’ where customers seeking access to specific companies or accounts can hire them to target employees working remotely at home.”
Before diving into the specifics of how the scheme works, here’s a review of the basics for those not familiar with them:
- Spearphishing: A scam targeting a specific individual, category of people or organization, carried out typically through email (or other digital communication). Unlike a phishing campaign, which casts a wide net to lure victims, spearphishing involves additional tactics such as using the target’s personal details and other information to increase the likelihood of a successful attack.
- Vishing: Combining “voice” and “phishing,” vishing is a scam carried out over the phone with the goal of stealing the person’s private or sensitive information. Research by First Orion found that 75 percent of victims reported that the caller already had some of their personal information and used it to extract more.
In this new, hybrid attack, the scammers have been targeting new company hires, according to sources quoted by Krebs. Claiming to be calling from the IT department to troubleshoot the VPN technology, the phishers try to convince their targets to either give them their login credentials over the phone or use a malicious website that mimicked the company’s VPN portal.
The web pages the gang set up look legitimate, using the company’s name with variations of terms such as “vpn” or “portal,” sometimes even including links to other internal company resources.
The callers even went as far as creating bogus LinkedIn profiles and connecting to others in the company (claiming to be new employees themselves) to add credibility to their identities. The scammers typically work in sets of two, one as the social engineer making the call and the other taking the credentials the victim entered on the phishing page and quickly using them to log into the company’s actual VPN.
Each successful attempt would give the scammers more intel into the organization’s operations. “These guys are calling companies over and over, trying to learn how the corporation works from the inside,” Allison Nixon, chief research officer at the cyber investigations company Unit 221B, told Krebs on Security.
Why this matters to your business
The goal of these hybrid schemes appears to be access to internal corporate tools that would provide control over digital assets, according to the researchers. These may be things like email and social media accounts, cryptocurrencies and other financial instruments. In the case of social media, some highly valuable accounts can be worth thousands of dollars on the dark web.
Whether your organization is large or small, you need to protect access to all your assets and data. Cybercriminals love going after the low-hanging fruit — which often means smaller companies that have less-mature security practices. Today, they may be spearphishing for remote employees at large companies. Tomorrow, they may be after yours.
Phishing simulations & training
COVID-19: The cybercriminal’s playground
As Microsoft noted in a report about COVID-19 threats, “Cybercriminals are adaptable and always looking for the best and easiest ways to gain new victims.” This hybrid vishing/spearphishing attack is just one illustration of this adaptability.
Factors such as the scale and widespread chaos make COVID-19 different from other opportunistic events. The fear and the uncertainty of the pandemic, in particular, have caused many people to lower their guard in their quest for information — turning COVID-19 into a cybercriminal’s dream scenario.
The World Health Organization officially named the new disease COVID-19 on February 11th, declaring it a global public health emergency. And just two weeks later, Google data showed a huge spike in the number of phishing websites (from under 40,000 on January 5th to nearly 190,000 by February 23rd).
COVID-19 is simply a reminder that you need to prepare your workforce for the reality of today’s world — the reality being that your employees are a target, and they’re your weak security link. A security awareness and training program can help strengthen that link — but make sure it’s comprehensive, starting with employees on their first day on the job.
Sources
Voice Phishers Targeting Corporate VPNs, Krebs on Security
First Orion Reports Scam Callers Now Leveraging Data Breaches in New “Enterprise Spoofing” Strategy, First Orion
Exploiting a crisis: How cybercriminals behaved during the outbreak, Microsoft
Google Safe Browsing, Google Transparency Report
In this Series
- Spearphishing meets vishing: New multi-step attack targets corporate VPNs
- Keeping your inbox safe: How to prevent business email compromise
- The best 9 phishing simulators for employee security awareness training (2023)
- How to set up a phishing attack with the Social-Engineer Toolkit
- Extortion: How attackers double down on threats
- How Zoom is being exploited for phishing attacks
- 11 phishing email subject lines your employees need to recognize [Updated 2022]
- Consent phishing: How attackers abuse OAuth 2.0 permissions to dupe users
- The state of BEC in 2021 (and beyond)
- Why employees keep falling for phishing (and the science to help them)
- Phishing attacks doubled last year, according to Anti-Phishing Working Group
- The Phish Scale: How NIST is quantifying employee phishing risk
- 6 most sophisticated phishing attacks of 2020
- JavaScript obfuscator: Overview and technical overview
- Malicious Excel attachments bypass security controls using .NET library
- Phishing with Google Forms, Firebase and Docs: Detection and prevention
- Phishing domain lawsuits and the Computer Fraud and Abuse Act
- Phishing: Reputational damages
- Phishing attack timeline: 21 hours from target to detection
- Overview of phishing techniques: Brand impersonation
- BEC attacks: A business risk your insurance company is unlikely to cover
- Cybercrime at scale: Dissecting a dark web phishing kit
- Lockphish phishing attack: Capturing android PINs & iPhone passcodes over https
- 4 types of phishing domains you should blacklist right now
- Email attack trend predictions for 2020
- 4 tips for phishing field employees [Updated 2020]
- How to scan email headers for phishing and malicious content
- Should you phish-test your remote workforce?
- Overview of phishing techniques: Fake invoice/bills
- Phishing simulations in 5 easy steps — Free phishing training kit
- Overview of phishing techniques: Urgent/limited supplies
- Overview of phishing techniques: Compromised account
- Phishing techniques: Contest winner scam
- Phishing techniques: Expired password/account
- Overview of Phishing Techniques: Fake Websites
- Overview of phishing techniques: Order/delivery notifications
- Phishing technique: Message from a friend/relative
- [Updated] Top 9 coronavirus phishing scams making the rounds
- Phishing technique: Message from the boss
- Cyber Work podcast: Email attack trend predictions for 2020
- Phishing techniques: Clone phishing
- Phishing attachment hides malicious macros from security tools
- Phishing techniques: Asking for sensitive information via email
- PayPal credential phishing with an even bigger hook
- Your 2020 tax scam training guide
- Abusing email rules
- 8 phishing simulation tips to promote more secure behavior
- Top types of Business Email Compromise [BEC]
- Be aware of these 20 new phishing techniques
- Phishing in academic environments
- Phishing-as-a-Service
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
