There is an increase in voice phishing attacks, where hackers use existing employee names in attempt to trick victims into sharing login credentials and data by phone.
According to Check Point Research vishing attacks are targeting remote workforces, with the aim of getting a person to share login credentials or sensitive data.
During the phone call, attackers imitate company representatives, often from finance, HR, IT or legal departments, and use social engineering techniques to trick victims into sharing account credentials or banking information. Attackers then use the information to steal the victim's funds and/or deliver destructive malware.
The warning from Check Point researchers follows a joint advisory from Cybersecurity and Infrastructure Security Agency (CISA) and the FBI, warning of a wave of vishing attacks targeting private sector companies in the US.
According to the advisory, threat actors typically call employees working from home to collect login credentials for corporate networks, which they later monetise by selling the access to other groups.
Recently, researchers at CPR were asked to investigate two vishing attacks against employees at an international corporation. The corporation received a total of 6 vishing phone calls within three months. Two of those phone calls are detailed below to better educate remote workers on the nature of vishing attacks.
The First Call
An attacker called the company's technical support centre via a publicly available number, requesting to speak with a representative. The attacker introduced herself as an existing company employee, whose appearance matched the caller's accent. During the call, the attacker requested the phone number of two other employees – both of them real company employees. The request was polite and accompanied by a spelling of the name, and shortly after that, the caller suggested the recipient install TeamViewer – a remote control application – allegedly to help the recipient locate the desired phone number. We can assume that the caller was carefully selected to match the description of the employee used as cover, and that the attackers verified that the employee was still working at the company.
Based on the area code, it appeared that the call originated from Miami. After further investigation, we discovered that the same phone number had been used and reported as phishing by users in Europe – the UK, Poland and Bulgaria as well as South Asia (Singapore, the Philippines and Japan). Individuals reported that callers from the same number asked for contact details of fellow employees. In total, the phone number was requested 95 times in the past 120 days.
The Second Call
Similarly to the above incident, the attacker reached out to the company's technical support centre via a publicly available number, requesting to speak with a representative. In this case, the attacker shared a boarder cover story, involving a major telecommunication company. In return, the representative was more suspicious then before. This time, she used a phone number with no known spam reports found online, affiliated to San Francisco. Below is a partial transcription of the call. All names have been replaced to protect the targets' identity.
“Vishing attacks are a growing cyber threat, alongside conventional phishing," says Lotem Finkelsteen, manager of threat intelligence at Check Poin.
"The direct nature of the vishing call means the attacker controls the information channel and puts additional pressure on the target. We're seeing that more and more multi-staged cyber-attacks are incorporating vishing calls as part of their infection chains, for a number of reasons."
"One, vishing attacks help hackers in their reconnaissance phase, where they can learn more about their targets. Second, vishing attacks deepen the phishing phase, as combining a call with an SMS message deepens the deception, for example. Third, vishing attacks become the core of major cyber-attacks, such as deceiving victims to handover 2FA codes sent over SMS, or grant access to a certain system, which is what happened in the Twitter account hijacking earlier this year.
"Remote workers everywhere should learn to not overshare and to verify the authenticity of whoever they find themselves on the phone with.