As part of our effort to inform our clients about potential and serious cybersecurity issues, MCP provides advisories about vulnerabilities and exploits that could threaten the operations of their mission-critical communications networks. Sign up to receive these advisories in your inbox as soon as they are released.
This week, there is a new critical alert that requires the mission-critical community’s immediate attention.
Advisory Summary
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) recently issued a warning about the growing threat of voice phishing (“vishing”) attacks against companies. Vishing is a social-engineering method that uses voice communications to entice a victim to divulge sensitive information via a cybercriminal-initiated phone call. Mission Critical Partners (MCP) recommends following best practices outlined within this post to avoid social-engineering and phishing attacks, in general, and to be especially vigilant and aware of the increased use of phone calls in perpetrating such attacks.
Technical Detail and Additional Information
What Is the Threat?
Due to the COVID-19 pandemic, a massive shift of agency personnel working from home has occurred, resulting in increased use of government virtual private networks (VPNs). An ongoing wave of vishing attacks has been targeting U.S. private- and public-sector companies, targeting this new work-from-home (WFH) demographic. The basic routine of the attack typically includes the cybercriminals, posing as other persons, calling the potential victims to obtain personal and/or agency information. Cybercriminals then use vished credentials to mine victim agency databases for further sensitive information to leverage in other attacks, with the end goal of monetizing the access.
Why Is this Noteworthy?
The vishing campaign follows a common thread wherein the bad actors register domains and create phishing pages attempting to duplicate an agency’s intranet and VPN login pages, while using the targeted phone calls to lure the victims into entering sensitive information into the cybercriminal’s data-harvesting sites. Victims easily may be fooled by skillfully crafted schemes that include the psychological manipulation of social engineering, coupled with phishing sites that seemingly have legitimate domain names. In an effort to pull off such a targeted attack, many cybercriminals will actually purchase a Secure Socket Layer (SSL) certificate for their phishing site, which makes the site appear to be more trustworthy and less suspicious.
What Are the Recommendations?
Mission Critical Partners recommends providing security awareness training within your organization and following best practices to protect your agency and its data against vishing and other social-engineering attacks.