A Private Sector Warning (PIN) has been provided by the Federal Bureau of Investigation to warn of attacks against companies in which threat actors seek to access employee credentials via vishing or chat rooms.
Taking advantage of the COVID-19 pandemic, which has forced widespread telework acceptance, cyber criminals and threat actors are seeking to manipulate perceived misconfiguration and shortage of remote network control and user privilege surveillance.
The FBI says that an observed change in strategy is the targeting of all employee credentials, not just those employees who may have better access and protections depending on their organisational status.
Cybercriminals have been shown to use social engineering to threaten both US and foreign workers of major corporations. Employees were fooled into visiting false web sites and entering their corporate usernames and passwords as part of the phishing attacks (voice phishing conducted during phone calls) using VoIP platforms.
“Many cyber criminals discovered that they had greater network access after gaining access to the network, including the ability to increase the privileges of the compromised employees’ accounts, allowing them to gain further access to the network, often causing significant financial damage,” notes the FBI.
In one attack, the Department claims, via the company’s chatroom, the cybercriminals identified an employee and then persuaded them to log into a false VPN page to expose their credentials.
The threat perpetrators then signed into the VPN of the organisation using the stolen username and password and began looking for workers who had higher privileges. They noticed an individual who could make improvements to username and email and used a texting app in the chat room to phish for their credentials.
The notorious Twitter hack of July 2020, in which three young people obtained access to the internal resources of the social media and seized possession of high-profile profiles, is indicative of how such an assault is carried out: the cybercriminals called multiple workers to phish their passwords before they eventually harvested those with the rights they were looking for.
To persuade them that the hackers were trustworthy and could thus be trusted, the hackers used personal information about the workers. Although some workers reported the calls to the internal fraud reporting unit of Twitter, at least one worker accepted the lies of the hackers, the New York Department of Financial Services said in a report describing the incident.
The FBI urges companies to enforce multi-factor authentication (MFA) for employee accounts to prevent such attacks, follow the concept of least privilege (especially for new employee accounts), regularly control the environment for unwanted entry or changes, use network segmentation, and issue administrator accounts: one for email and one for device modifications.
“With so many people working from home, because they don’t have the protective environment of being in their corporate offices, they are more likely to fall for this type of vishing scam,” James McQuiggan, security awareness advocate at KnowBe4, said in an emailed statement.
“In order to ensure that employees are aware of current dangers and can take appropriate actions to reduce the risk of an attack by unauthorised people, organisations want to include vishing exercises within their robust security awareness, behaviours, and culture programmes,” McQuiggan added.
