A telephone scam is targeting remote workers to gain access to corporate networks. The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint warning about this "vishing" (voice phishing) campaign. The callers impersonate help desk personnel to get employees to access a fraudulent site. If they succeed, they gain the credentials to access an organization's virtual private network (VPN).
Businesses need to be aware of this attack and take measures to keep it from happening to them. A human voice is more convincing than email, and employees who would ignore email requests of this kind might fall victim to a fraudulent call.
How the Deception Works
The perpetrators do serious research to make themselves convincing. They acquire personal identifying information on the targeted employees, including names, personal phone numbers, positions at the company, and home addresses. In some cases, they spoof caller ID numbers that matched the company's phone.
The caller tells the victim that a new VPN link will be sent. The victim enters any multi-factor authentication or one-time passwords necessary to gain authorization. The fraudulent site passes the login through to the real VPN, so access looks familiar to the employee. However, it captures the employee's password, and any one-time code received by SMS in two-factor authentication. The criminals immediately use these credentials to connect to the VPN.
The "new" link went to a domain the attackers had registered. The domain names were ones that seemed related to the company. If the domain were companyX.com, the deceptive domain would be companyX-support.com, or something similar.
In some cases, the criminals trick cell phone providers into giving them a "replacement" SIM for the victim's cell phone. They were then able to directly receive the SMS code instead of counting on the victim to enter it.
How to Keep the Attack from Succeeding
Security training educates employees to be cautious about telephone calls as well as email. Skilled callers are very persuasive. Employees should have a verification procedure, such as returning the call to an authorized number, before disclosing confidential information and to report any suspicious calls to their network administrator.
Having authentication through a hardware device or applying VPN restrictions reduces the chances of disclosing information to a fraudulent site. However, the fraudulent site may act as a pass-through agent for the legitimate server and gain authentication.
Employees should enter login information only on pages on the company's domain or through bookmarks, which they know are valid. Security training should remind them that similar domains are not necessarily related. A domain that does not precisely match their organization's domain name could belong to an unauthorized party. When in doubt, ask your IT specialist.
The Importance of a Well-Protected VPN
Attacks such as these are not arguments against having a VPN. They point out how critical a virtual private network is to company security. If the VPN stays secure, criminals have a hard time breaking into their systems. Authorized people can access the company network wherever they are and no one else can. Encrypted communications prevent interception.
While an authorized user is using the VPN, the company can log their activity. It can install safeguards against accidental misuse or suspicious behavior. A VPN is the most secure way to enable remote access to a business network.