A lot of data breaches begin with a phishing email, however, credential phishing may likewise happen through other communication channels like instant messaging applications or SMS texts. One frequently missed way for the acquisition of credentials is phishing through the telephone, also called vishing. These attacks allow attackers to get the credentials needed to have access to email accounts and/or cloud services with the ability to modify privileges.
Lately, the Federal Bureau of Investigation (FBI) gave an advisory because of a surge in vishing incidents where attackers steal credentials to company accounts, such as information for network access and escalation of privileges. The switch to remote employment in 2020 as a result of COVID-19 has made it more difficult for IT staff to keep track of network access and privilege escalation, so attacks can often be undetected.
The FBI cautioned that it has noticed a switch in strategies by threat actors. Instead of just targeting credentials of persons that could elevate privileges, cybercriminals are currently attempting to get all credentials. Although the credentials of low-profile workers may not provide the sought-for access to networks, systems, or data, those credentials enable them to get a foothold they can utilize to obtain increased network access, which includes the potential to escalate privileges.
Threat actors are utilizing VoIP systems to target company employees over the phone to get credentials. One way to do this is by persuading an employee to sign in to a phishing website that collects credentials. For example, the threat actor impersonates a member of the IT team and tells the employee to go to a website to update their software program or for security purposes.
In one of the latest vishing attacks, cybercriminals contacted a targeted company’s employee in its chatroom and told the employee to sign in to a counterfeit VPN page. The threat actors stole the employee’s information, signed in remotely to the VPN, and executed reconnaissance to locate an employee with greater privileges. The goal was to identify an employee who has permission to modify usernames and email credentials. As soon as someone is identified, the threat actor contacts the person again using the chatroom messaging service to harvest the credentials of the employee.
This is the FBI’s second warning about vishing. This tactic has been employed in attacks since December 2019. To strengthen defenses against these vishing attacks, the FBI recommends the following:
- Use multi-factor authentication to increase the security of employee account access.
- Allow network access for new personnel with limited privileges
- Frequently evaluate network access for personnel to discover weak areas.
- Scan and keep track of unauthorized network access and alterations of permissions.
- Follow network segmentation to regulate the flow of network traffic.
- Administrators should have two accounts: an account with admin privileges to be used for system changes and another account to be used for making updates, emailing and generating reports.