Corporate VPN endangered by Voice Phishing attacks

Hacker making a phishing phone call

Phishing attacks have been present at every point in time for years, if not decades, now.

However, hackers and scammers are known for taking advantage of new opportunities, and COVID-19 has led to some huge ones. This week security researcher Brian Krebs revealed the extent of the issue.

With the pandemic still going strong, a lot of companies have opted to allow their workers to keep working from home, rather than expose themselves to the virus by travelling to and from their offices.

This has led to the need for workers to remotely connect to their companies' servers in order to use corporate resources and it's a situation that may become more of a permanent solution.

Naturally, this means that firms' resources and secrets are much more at risk of being exposed, and they're more available to crooks than ever before.

Krebs article highlights that criminals have started conducting phishing attacks against unsuspecting employees. Even though companies have employed corporate VPNs to try and protect themselves, scammers and hackers simply switched to a combination of voice phishing and phishing sites to steal VPN credentials, as well.

Multiple sources have confirmed that these hybrid phishing attacks have been growing in numbers. Even worse, they had a rather high success rate, which allowed them to start offering their services for hire.

Phishing attacks surge due to coronavirus

In the last six months, there were dozens, or maybe even hundreds of new phishing pages, which targeted some of the largest corporations in the world, According to experts, they are currently mostly focused on financial, social media, and telecommunications firms.

Allison Nixon, the Chief Research Officer at Unit 221B, a cyber investigation firm from New York, stated that these attacks have been highly effective.

They work by identifying remote workers and then call them on the phone. Once they answer, the phishers trick them into believing that they are working in the IT department of the victim's company.

They would claim that there are issues with the company's VPN and that the user needs to share their VPN credentials over the phone or input them on a webpage that the phishers would provide which looks identical to a real corporate page.

Of course, the webpage is a fake that the scammers have made to resemble the real one, and as soon as the victim enters their credentials, the scammers would get them and use them to break through the firms' defences.

Hackers are well-trained and organised

There are also security companies, such as ZeroFOX, that have been trying to work against this issue by helping customers detect this and respond to risks tied to various digital channels, such as social media.

Their officials noted that hackers tend to focus on newly-hired workers for their phishing attacks as they are more likely to fall for the ruse.

However, they also noted that hackers tend to go to extreme lengths to make the scams work.

For example, they often go as far as to create LinkedIn accounts for those they impersonate, just to make it more believable if the users were to investigate the supposed IT expert that is contacting them.

As for the pages that they create, their domains often end up using the companies' names in some way, usually with the additional terms such as 'employee,' ‘VPN,' ‘portal,' or ‘ticket.'

Sometimes, hackers will even add links to the companies' own internal online resources. That way, their scheme becomes that much more believable.

Now, regular voice phishing (vishing) attacks usually involve at least two scammers. One would target victims via the phone, while another would use any credentials that the first one had obtained to access the targeted firms' VPN platform quickly.

Companies have taken additional steps to protect their resources, so time is of the essence when it comes to these attacks, which is why conducting them immediately is necessary for them to work.

Experts have also noted that phishers would register domains at domain registrars that accept Bitcoin in order to increase their anonymity.

Furthermore, they register only a single domain per registrar account. That way, if the account was connected to a scam and shut down, only a single domain would suffer.

How can companies protect themselves?

Scammers have been extremely careful to cover all the details and for their campaigns to suffer minimal damage in case of a failure.

Further, it appears that they are all highly skilled, and experts suggest that the attackers may have years-worth of training when it comes to social engineering of employees at various social media and mobile firms.

Now, they use this knowledge to steal social media accounts and Bitcoin to re-sell and re-use them in a number of ways.

They leave little trace, although they have been known to ensure that they could access target companies' VPNs in the future, usually by making a new account once they get employees' login credentials.

As for what companies can do to protect themselves, their options are somewhat limited.

Even so, one of them may have enough potential to put a stop to these scams, and that is to use physical security keys, located on USB-based devices such as the Yubikey.

Google claims to have had great success since introducing physical keys claiming they “have had no reported or confirmed account takeovers since implementing security keys”.

Using such devices means the employee would only be able to access the company's resources if they have one of these USB devices, while the scammers would not be able to get to them, apart from physically stealing them.

Ali Raza

Author: Ali Raza

Ali is a journalist with a keen interest in VPN usage. He is an expert in the field and has been covering VPN related topics for VPNCompare and numerous well-respected publications for many years.

Leave a Reply

Your email address will not be published. Required fields are marked *

Sign up to our newsletter

Get the latest privacy news, expert VPN guides & TV unblocking how-to’s sent straight to your inbox.