Cybersecurity Threat Advisory: Major ‘Vishing’ Campaign

As part of our effort to inform our clients about potential and serious cybersecurity issues, MCP provides advisories about vulnerabilities and exploits that could threaten the operations of their mission-critical communications networks. Sign up to receive these advisories in your inbox as soon as they are released.

This week, there is a new critical alert that requires the mission-critical community’s immediate attention.

Advisory Summary

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) recently issued a warning about the growing threat of voice phishing (“vishing”) attacks against companies. Vishing is a social-engineering method that uses voice communications to entice a victim to divulge sensitive information via a cybercriminal-initiated phone call. Mission Critical Partners (MCP) recommends following best practices outlined within this post to avoid social-engineering and phishing attacks, in general, and to be especially vigilant and aware of the increased use of phone calls in perpetrating such attacks.

Technical Detail and Additional Information

What Is the Threat?

Due to the COVID-19 pandemic, a massive shift of agency personnel working from home has occurred, resulting in increased use of government virtual private networks (VPNs). An ongoing wave of vishing attacks has been targeting U.S. private- and public-sector companies, targeting this new work-from-home (WFH) demographic. The basic routine of the attack typically includes the cybercriminals, posing as other persons, calling the potential victims to obtain personal and/or agency information. Cybercriminals then use vished credentials to mine victim agency databases for further sensitive information to leverage in other attacks, with the end goal of monetizing the access.

Why Is this Noteworthy?

The vishing campaign follows a common thread wherein the bad actors register domains and create phishing pages attempting to duplicate an agency’s intranet and VPN login pages, while using the targeted phone calls to lure the victims into entering sensitive information into the cybercriminal’s data-harvesting sites. Victims easily may be fooled by skillfully crafted schemes that include the psychological manipulation of social engineering, coupled with phishing sites that seemingly have legitimate domain names. In an effort to pull off such a targeted attack, many cybercriminals will actually purchase a Secure Socket Layer (SSL) certificate for their phishing site, which makes the site appear to be more trustworthy and less suspicious.

What Are the Recommendations?

Mission Critical Partners recommends providing security awareness training within your organization and following best practices to protect your agency and its data against vishing and other social-engineering attacks.

• Be suspicious of unsolicited phone calls, visits or email messages from unknown individuals claiming to be from a legitimate organization. Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person's authority to have the information. If possible, try to verify the caller’s identity directly with the company.
• Bookmark the correct corporate domains and websites, and do not visit alternative uniform resource locators (URLs) on the sole basis of an inbound phone call.
• If you receive a vishing call, document the caller’s phone number as well as the domain to which the bad actor tried to send you, and relay this information to management and the appropriate law-enforcement authorities.
• Pay attention to the URL of a website. Look for URLs that begin with "https"—an indication that sites are secure—rather than "http.”
• Look for a closed padlock icon in the web browser—a sign that your information will be encrypted.
• Install and maintain antivirus software, firewalls, and email filters to reduce some of this unwanted, dangerous traffic.
• Implement and enforce the use of multifactor authentication (MFA).

Related Posts

An Effective Network Operations Center Does More Than Provide Alerts

Cybersecurity Threat Advisory: Two Microsoft Zero-Day Attack Vulnerabilities

Why Critical Infrastructure Agencies Should Monitor for Exposed Credentials