FBI warns against vishing attacks targeting enterprises
Though the FBI vishing warning references attacks that began in December 2019, the alert is reminiscent of the Twitter social engineering attacks that took place last July.
Several months after the highly publicized Twitter attacks of last summer, social engineering and vishing are back in the spotlight.
A Jan. 14 Private Industry Notification (PIN) by the FBI’s Cyber Division warned of cybercriminals targeting employees at large U.S. and international companies using social engineering and vishing tactics. In these attacks, which the FBI said began in December 2019, threat actors would target employees using VoIP platforms and convince victims to expose their corporate credentials through phishing sites.
“During the phone calls, employees were tricked into logging into a phishing webpage in order to capture the employee’s username and password,” the notification reads. “After gaining access to the network, many cyber criminals found they had greater network access, including the ability to escalate privileges of the compromised employees’ accounts, thus allowing them to gain further access into the network often causing significant financial damage.”
The PIN offered an example of an incident in which “cyber criminals found an employee via the company’s chatroom, and convinced the individual to log into the fake VPN page operated by the cyber criminals.” Once the threat actors had the employee’s credentials, they logged into the company’s VPN and began the process of locating a higher-privilege individual.
Recommended mitigations by the FBI include using multifactor authentication, keeping new employees on a lower privilege level and actively scanning for unauthorized access. The bureau also recommended network segmentation and for administrators to be “issued two accounts: one account with admin privileges to make system changes and the other account used for email, deploying updates, and generating reports.”
SearchSecurity asked the FBI about targeted industries and the number of attacks observed, but the bureau has not responded at press time.
Last July, Twitter was attacked in one of the most significant vishing attacks in recent memory. The attackers posed as Twitter tech support staff and used social engineering tactics to gain access to internal Twitter systems as well as numerous high-profile accounts like former president Barack Obama and SpaceX founder and CEO Elon Musk. The attackers then tweeted Bitcoin scams from these compromised accounts and made off with over $100,000 in cryptocurrency.
And last August, the FBI and CISA issued an advisory referencing a vishing campaign that took place the previous month, though it did not directly refence Twitter. The advisory, like last week’s FBI PIN, warned that threat actors were taking advantage of the COVID-19 pandemic and increased VPN usage to vish employees and convince them to give up their login credentials.