The FBI has warned corporations of an increase in vishing attacks aimed at stealing employee credentials and other personal details to infiltrate networks and gain access to privileged user accounts. Once malicious actors gain access to high privileged accounts, they typically cause major financial damage to those organizations.

So, before we discuss the threat, let's take a look at what vishing is and how it's currently becoming a key attack vector for hackers.

What is vishing?

Vishing is a social engineering attack carried out over voice calls with the intention of manipulating and persuading users into sharing sensitive information with which malicious actors attempt to achieve their motive. Vishing has caused serious damage, as we've seen in the past.

With more people than ever working remotely, the need for Voice over Internet Protocol (VoIP) communication has increased, which is exactly why hackers have shifted their strategy towards vishing.

The FBI's warning in detail

The Private Industry Notification and Traffic Light Protocol (TLP) report show hackers are engineering VoIP platforms to manipulate employees using VPN-phished pages to steal user credentials and breach corporate networks.

The FBI's report outlines how hackers lured an employee using the company's chatroom and convinced him to log in to a fake VPN page created by those hackers. After luring the user through a cloud-based payroll service, hackers stole the users' credentials and later snuck into the network.

This vishing campaign isn't the first of its kind: the Cybersecurity and Infrastructure Security Agency (CISA) and FBI warned users back in August 2020 of a similar attack. In this attack a similar modus operandi was followed but with capabilities to breach and steal the two-factor authentication variable, like QR codes, fingerprints, and one-time passwords (OTPs) from the victim's end. The OTP can easily breached using a simple SIM Swap attack, also called a SIM jacking attack.

Best practices to steer clear of vishing attacks

Corporations are advised to follow the below practices to keep their networks safe from vishing attacks:

  1. Formulate and implement multi-factor authentication (MFA) to avoid malicious maneuvers from threat actors.
  2. Give limited privileges to new recruits to avoid breaches that are related to privileged escalations, network breaches, and credentials theft.
  3. Continuous device monitoring and management is the best way to identify malicious behavior in user devices. Endpoint security, endpoint detection and response, and log management are some key tools to detect threats and keep them away from your network.
  4. Networks should be classified into multiple levels, i.e. servers and data centers, internal administration systems, and user devices to keep critical systems safe from external and internal threats.
  5. Endpoint and network management administrators should work hand-in-hand to understand the threats that arise, and learn how to share their knowledge and findings with each other effectively.

As recommended by the FBI, it's important to ensure your corporate network is secured against vishing attacks and that employee devices are kept safe from external threats.