Vishing uses an “old school” technique that is hard to detect by normal methods. You can’t use antivirus to block a phone call from a scammer.
This growing threat reaches users IRL (in real life) and is a hacking technique that uses live phone calls as well as voicemail messages (aka robocalls) that will pretend to be from a legitimate company.
Vishing, also known as a phone scam, targets individuals by catching them off guard. They’ll often spoof local phone numbers so someone will pick up, thinking it may be a business they’ve used, like a pharmacy or gym.
Due to the disruption of the pandemic, cyberattacks of all kinds have been on the rise. Companies haven’t always adequately protected newly remote workers with device security and other safeguards.
Attackers are taking advantage of remote workers who are now somewhat disconnected from their main office and may be more willing to believe a scammer’s story.
One vishing scam that’s become particularly prevalent was included in a joint cybersecurity advisory from the FBI and Cybersecurity & Infrastructure Security Agency (CISA). It warned of a VPN login page spoofing scam that has been hitting businesses.
How Does the VPN Vishing Scam Work?
This vishing scam involves a combination of offline and online tactics. The attacker calls a user and gets them to log in to a fake page, then through that page is able to steal user credentials and access a company’s VPN account.
What kind of damage can be done if a scammer accesses an employee’s VPN account? Just ask Colonial Pipeline.
The Colonial Pipeline ransomware attack that caused gas shortages across the U.S. in May was initiated through a hacked VPN account that was not protected with multi-factor authentication.
If a hacker can gain access to employee credentials, they can often gain a way into a company’s entire network.
Here’s how this vishing scam works.
Reconnaissance of the Target Company
To create a convincing scam, the hacker needs to gather some company data that will make their trap more effective.
This includes doing things like scraping employee and company details from LinkedIn and other social media sites to create a game plan of how to run the scam.
For example, if they see that “Jim Brown” is the company’s technology officer, a scammer can use that name when they Vish an employee. For example, “Hi, this is Trevor from XYZ Cybersecurity, and your technology officer, Jim, asked us to contact all employees and go through some steps…”
If a scammer displays some knowledge about the company and its personnel, it’s more convincing to an unsuspecting employee that receives a “technical” call out of the blue.
Creating the Trap
Next, the hacker needs to set up the trap, which will consist of a VPN login page that duplicates the look of the company’s internal VPN page.
They’ll register a copycat domain and set the page up to look identical. Copycat domains usually have a hard-to-spot spelling difference in the name or may use the company’s domain as a subdomain along with a general term like “security-team.”
These traps are set up to capture:
- The employee’s login name and password
- The employee’s two-factor authentication token for the internal VPN
The Vishing Call
Now that the hacker is set up with some convincing company information and a fake phishing webpage, they’re ready to contact the employees of that company and spring the trap.
They will call the cell phone of the employee and pose as an “IT technician” or “Help Desk Staff” and have some type of urgent security concern as the basis for the call.
Hackers will often use these tactics to both gain trust and escalate the situation, so someone feels compelled to do what they ask:
- Use details about the company that the employee figures they wouldn’t know unless they were legit.
- Emphasize an urgent security situation that has to be addressed now.
- Make the employee feel as if they will get in trouble should they not comply.
The scammer will send the employee a link to the fake VPN page and ask that they sign in and do something like changing their password. The second that the employee signs into the fake site, the hacker now has what they want.
Stealing Company Information or Planting Malware
Now that the hacker has the employee’s login credentials, the attack will be swift. They know that it may only take a few minutes for someone to question what just happened and to possibly change the real VPN password. Thus, their attacks are usually automated by software to happen immediately after they get the credentials.
Hackers can steal data, plant ransomware or other malware, put backdoors into a system for a persistent attack, send phishing from a company domain, and more.
How Can You Protect Your Company from Vishing?
- Train employees on how to spot and avoid vishing.
- Pay for a robocall blocking service.
- Use multi-factor authentication on all services and accounts that you can.
- Restrict VPN connections to company-managed devices only and block all others by default.
- Limit VPN access with time windows and geolocation rules.
- Employ domain monitoring to help prevent domain spoofing.
- Actively scan and monitor web applications for unauthorized access and suspicious activity.
Does Your Remote Team Have Adequate IT Security?
Remote teams don’t have to pose a security risk if they have the proper protection. Magnify247 can help your Hamilton County business ensure employees are properly trained and have the tools in place to protect your business accounts.