Spearphishing meets vishing: New multi-step attack targets corporate VPNs

Rodika Tollefson
December 15, 2020 by
Rodika Tollefson

How cybercriminals adapt

Cybercriminals come out of the woodwork to take advantage of major events. Anything from the Olympics to the US elections is an opportunity to launch phishing campaigns on unsuspecting victims. And COVID-19 is no exception. 

Bad actors have adapted their tactics to leverage the situation, especially the knowledge that in the “new normal,” a much higher number of people are working remotely and many organizations’ IT teams are stretched thin. So it’s not surprising that all sorts of new schemes have popped up — from phishing emails impersonating public health agencies to malicious websites with fake coronavirus tracking maps. 

One of the latest adaptations is a spearphishing attack and vishing attack rolled into one. Aimed at stealing corporate virtual private network (VPN) user credentials, this multi-step attack reportedly has shown a high success rate. And while the targets initially appeared to be large corporations primarily in the social media, telecommunication and financial industries, all organizations should be on alert and educate their employees about this scheme.

Two year's worth of NIST-aligned training

Two year's worth of NIST-aligned training

Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.

How the new phishing/vishing attack works

As originally reported by cybersecurity journalist Brian Krebs, a “brazen group of crooks” took spearphishing to new heights, combining it with a vishing attack with the goal of stealing employees’ VPN credentials. According to Krebs, “this hybrid phishing gang has a remarkably high success rate, and operates primarily through paid requests or ‘bounties,’ where customers seeking access to specific companies or accounts can hire them to target employees working remotely at home.”

Before diving into the specifics of how the scheme works, here’s a review of the basics for those not familiar with them:

  • Spearphishing: A scam targeting a specific individual, category of people or organization, carried out typically through email (or other digital communication). Unlike a phishing campaign, which casts a wide net to lure victims, spearphishing involves additional tactics such as using the target’s personal details and other information to increase the likelihood of a successful attack.
  • Vishing: Combining “voice” and “phishing,” vishing is a scam carried out over the phone with the goal of stealing the person’s private or sensitive information. Research by First Orion found that 75 percent of victims reported that the caller already had some of their personal information and used it to extract more.

In this new, hybrid attack, the scammers have been targeting new company hires, according to sources quoted by Krebs. Claiming to be calling from the IT department to troubleshoot the VPN technology, the phishers try to convince their targets to either give them their login credentials over the phone or use a malicious website that mimicked the company’s VPN portal. 

The web pages the gang set up look legitimate, using the company’s name with variations of terms such as “vpn” or “portal,” sometimes even including links to other internal company resources.

The callers even went as far as creating bogus LinkedIn profiles and connecting to others in the company (claiming to be new employees themselves) to add credibility to their identities. The scammers typically work in sets of two, one as the social engineer making the call and the other taking the credentials the victim entered on the phishing page and quickly using them to log into the company’s actual VPN.

Each successful attempt would give the scammers more intel into the organization’s operations. “These guys are calling companies over and over, trying to learn how the corporation works from the inside,” Allison Nixon, chief research officer at the cyber investigations company Unit 221B, told Krebs on Security.

Why this matters to your business

The goal of these hybrid schemes appears to be access to internal corporate tools that would provide control over digital assets, according to the researchers. These may be things like email and social media accounts, cryptocurrencies and other financial instruments. In the case of social media, some highly valuable accounts can be worth thousands of dollars on the dark web.

Whether your organization is large or small, you need to protect access to all your assets and data. Cybercriminals love going after the low-hanging fruit — which often means smaller companies that have less-mature security practices. Today, they may be spearphishing for remote employees at large companies. Tomorrow, they may be after yours.

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

COVID-19: The cybercriminal’s playground

As Microsoft noted in a report about COVID-19 threats, “Cybercriminals are adaptable and always looking for the best and easiest ways to gain new victims.” This hybrid vishing/spearphishing attack is just one illustration of this adaptability.

Factors such as the scale and widespread chaos make COVID-19 different from other opportunistic events. The fear and the uncertainty of the pandemic, in particular, have caused many people to lower their guard in their quest for information — turning COVID-19 into a cybercriminal’s dream scenario. 

The World Health Organization officially named the new disease COVID-19 on February 11th, declaring it a global public health emergency. And just two weeks later, Google data showed a huge spike in the number of phishing websites (from under 40,000 on January 5th to nearly 190,000 by February 23rd).

COVID-19 is simply a reminder that you need to prepare your workforce for the reality of today’s world — the reality being that your employees are a target, and they’re your weak security link. A security awareness and training program can help strengthen that link — but make sure it’s comprehensive, starting with employees on their first day on the job. 



Voice Phishers Targeting Corporate VPNs, Krebs on Security

First Orion Reports Scam Callers Now Leveraging Data Breaches in New “Enterprise Spoofing” Strategy, First Orion

Exploiting a crisis: How cybercriminals behaved during the outbreak, Microsoft

Google Safe Browsing, Google Transparency Report

Rodika Tollefson
Rodika Tollefson

Rodika Tollefson splits her time between journalism and content strategy and creation for brands. She’s covered just about every industry over a two-decade career but is mostly interested in technology, cybersecurity and B2B topics. Tollefson has won various awards for her journalism and multimedia work. Her non-bylined content appears regularly on several top global brands’ blogs and other digital platforms. She can be reached at