The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a warning about a growing threat from criminals seeking to take advantage of people working from home and using a VPN or virtual private network. Apparently there's a growing threat from voice call phishing or "vishing" attacks targeting corporate VPNs.
One known service that was discovered allows people to hire a criminal ring with the goal of stealing VPN credentials, and other sensitive data from employees who are working remotely. The security alert issued says that in mid-July 2020, cybercriminals began vishing campaigns aiming to gain access to employee tools at multiple companies, and ultimately to monetize the access.
Methods the attackers are leveraging include setting up link phishing sites trying to mimic the target company's name, and these names often include hyphens. The goal is to trick the user into entering credentials into fake support, ticket, or employee websites. Attackers then focus on new employees by trying to social engineer them into leaking credentials by impersonating staff, particularly employees from the company's IT help desk.
The cybercriminal groups perpetrating these attacks compile complete dossiers on new employees at the companies they are targeting by scraping data off of various public profiles available via social media, online recruiters, and marketing tools. They are also leveraging data gathered using publicly available background check services and open-source research. The attackers then use VoIP (Voice over IP) phone numbers to call target employees on personal cell phones and have used spoofed phone numbers of other offices and employees in the target company in order to trick these staff members.
In the instances where these attackers have impersonated company IT personnel, they've used personally identifiable information from the complied dossiers, such as the employee's name, position, length of employment, and home address, to gain the trust of the victim. These attackers would then convince the employee that a new VPN link was being sent, and they were required to log-in using any two form factor codes or one-time passwords.
Attackers would use the employee's information in real-time to gain access to corporate tools and the employee's account. By using the information in real-time, any short-acting codes or passwords from 2FA tools would presumably be valid. One suggestion from the advisory bulletin recommends that users verify that web links don't have misspellings or contain the wrong domain before providing information. Remote workers could also check with other employees or superiors to determine the call is valid before giving out privileged information.
Cybercriminals have increased their targeting of employees working from home during the coronavirus pandemic. In May, a phishing campaign was discovered leveraging malware infused Excel spreadsheets that claimed to offer coronavirus information.