The FBI has warned corporations of an increase in vishing attacks aimed at stealing employee credentials and other personal details to infiltrate networks and gain access to privileged user accounts. Once malicious actors gain access to high privileged accounts, they typically cause major financial damage to those organizations.
So, before we discuss the threat, let's take a look at what vishing is and how it's currently becoming a key attack vector for hackers.
Vishing is a social engineering attack carried out over voice calls with the intention of manipulating and persuading users into sharing sensitive information with which malicious actors attempt to achieve their motive. Vishing has caused serious damage, as we've seen in the past.
With more people than ever working remotely, the need for Voice over Internet Protocol (VoIP) communication has increased, which is exactly why hackers have shifted their strategy towards vishing.
The Private Industry Notification and Traffic Light Protocol (TLP) report show hackers are engineering VoIP platforms to manipulate employees using VPN-phished pages to steal user credentials and breach corporate networks.
The FBI's report outlines how hackers lured an employee using the company's chatroom and convinced him to log in to a fake VPN page created by those hackers. After luring the user through a cloud-based payroll service, hackers stole the users' credentials and later snuck into the network.
This vishing campaign isn't the first of its kind: the Cybersecurity and Infrastructure Security Agency (CISA) and FBI warned users back in August 2020 of a similar attack. In this attack a similar modus operandi was followed but with capabilities to breach and steal the two-factor authentication variable, like QR codes, fingerprints, and one-time passwords (OTPs) from the victim's end. The OTP can easily breached using a simple SIM Swap attack, also called a SIM jacking attack.
Corporations are advised to follow the below practices to keep their networks safe from vishing attacks:
As recommended by the FBI, it's important to ensure your corporate network is secured against vishing attacks and that employee devices are kept safe from external threats.