The COVID-19 epidemic has brought a wave of email phishing attacks that try to trick work-at-home employees into giving away credentials needed to remotely access their employers’ networks. But one increasingly brazen group of crooks is taking your standard phishing attack to the next level, marketing a voice phishing service that uses a combination of one-on-one phone calls and custom phishing sites to steal VPN credentials from employees. According to interviews with several sources, this hybrid phishing gang has a remarkably high success rate, and operates primarily through paid requests or “bounties,” where customers seeking access to specific companies or accounts can hire them to target employees working remotely at home.
These pages are designed to trick users into revealing sensitive information like passwords, credit card details, and other personal data. The phishing pages are often disguised as legitimate websites, using similar branding, logos, and even mimicking the website’s layout and design. This makes them incredibly difficult to spot for unsuspecting users.
1. **Initial Contact:** The phisher will call employees working remotely and pose as a representative from the IT department. They will explain that they’re calling to help troubleshoot issues with the company’s VPN technology. 2. **Request for Information:** The phisher will then ask for sensitive information, such as usernames, passwords, or other credentials.
This tactic is particularly effective because it allows them to gain access to sensitive information and systems, often without raising suspicion. The summary provided focuses on the new hire phishing attack. Let’s expand on this topic and explore the tactics, techniques, and procedures (TTPs) used by attackers in this specific type of attack. **Phishing Attacks Targeting New Hires**
Phishing attacks are a common and effective method for attackers to gain access to sensitive information and systems.
SPEAR VISHING The domains used for these pages often invoke the company’s name, followed or preceded by hyphenated terms such as “vpn,” “ticket,” “employee,” or “portal.” The phishing sites also may include working links to the organization’s other internal online resources to make the scheme seem more believable if a target starts hovering over links on the page. Allen said a typical voice phishing or “vishing” attack by this group involves at least two perpetrators: One who is social engineering the target over the phone, and another co-conspirator who takes any credentials entered at the phishing page and quickly uses them to log in to the target company’s VPN platform in real-time.
This means that attackers can potentially compromise both the VPN and the MFA, leading to a successful breach. The summary provided highlights a critical security vulnerability in the current cybersecurity landscape. Let’s delve deeper into this vulnerability and its implications. **The Vulnerability: A Combined Attack**
The core of the vulnerability lies in the combination of two security measures: VPNs and multi-factor authentication (MFA).
A. The Rise of Sophisticated Phishing Attacks
**
Phishing attacks are becoming increasingly sophisticated, with attackers using advanced techniques to deceive employees into revealing sensitive information. These attacks often target specific individuals or departments within an organization, aiming to exploit their unique knowledge and access. Phishing attacks can be categorized into different types, including spear phishing, whaling, and generic phishing.
This statement highlights the importance of domain diversification in cybersecurity. **Domain diversification** is a strategy where a company or organization uses multiple domains to host its website and other online assets. This approach helps to mitigate the risk of a single attack targeting all of their online presence.
“They’ll only boot up the website and have it respond at the time of the attack,” Allen said. “And it’s super frustrating because if you file an abuse ticket with the registrar and say, ‘Please take this domain away because we’re 100 percent confident this site is going to be used for badness,’ they won’t do that if they don’t see an active attack going on. They’ll respond that according to their policies, the domain has to be a live phishing site for them to take it down. And these bad actors know that, and they’re exploiting that policy very effectively.”
The School of Hacks, a group of hackers who specialize in phishing attacks, has been active since at least 2018. They are known for their sophisticated and targeted attacks, often employing social engineering techniques to trick victims into revealing sensitive information. The School of Hacks has been linked to several high-profile cyberattacks, including the 2018 SolarWinds attack, which targeted the US government and other critical infrastructure organizations.
Here’s a breakdown of the evolving landscape of social media account takeover attacks:
**1. Shifting Focus from Resale to Direct Monetization:**
* **Initial motivations:** The initial motivation behind these attacks was to gain access to high-value accounts for resale. These accounts often possessed large followings and could be leveraged to amplify messages, spread misinformation, or manipulate stock prices.
“A lot of people just shut their brains off when they hear the latest big hack wasn’t done by hackers in North Korea or Russia but instead some teenagers in the United States,” Nixon said. “When people hear it’s just teenagers involved, they tend to discount it. But the kinds of people responsible for these voice phishing attacks have now been doing this for several years. And unfortunately, they’ve gotten pretty advanced, and their operational security is much better now.” PROPER ADULT MONEY-LAUNDERING While it may seem amateurish or myopic for attackers who gain access to a Fortune 100 company’s internal systems to focus mainly on stealing bitcoin and social media accounts, that access — once established — can be re-used and re-sold to others in a variety of ways.
“They’re not just hackers, they’re mercenaries.”
This statement by former U.S. President Richard Nixon, made in 1973, is a powerful indictment of the burgeoning cyber underworld. It highlights the growing sophistication and ruthlessness of cybercriminals, who are increasingly blurring the lines between legitimate hacking and malicious cyberattacks. The rise of cyber mercenaries has been fueled by several factors.
“What we see now is this group is really good on the intrusion part, and really weak on the cashout part,” Nixon said. “But they are learning how to maximize the gains from their activities. That’s going to require interactions with foreign gangs and learning how to do proper adult money laundering, and we’re already seeing signs that they’re growing up very quickly now.” WHAT CAN COMPANIES DO? Many companies now make security awareness and training an integral part of their operations. Some firms even periodically send test phishing messages to their employees to gauge their awareness levels, and then require employees who miss the mark to undergo additional training.
**Phishing Attacks: A New Threat for New Employees**
**Phishing Attacks:
* Phishing attacks are becoming increasingly sophisticated and prevalent. * New employees are particularly vulnerable to phone-based phishing attacks. * These attacks often involve impersonation of legitimate companies or individuals.
The allure of U2F devices for multi-factor authentication is that even if an employee who has enrolled a security key for authentication tries to log in at an impostor site, the company’s systems simply refuse to request the security key if the user isn’t on their employer’s legitimate website, and the login attempt fails. Thus, the second factor cannot be phished, either over the phone or Internet. In July 2018, Google disclosed that it had not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical security keys in place of one-time codes.
This key is a small, USB-connected device that can be used to authenticate users to websites and applications. Yubico’s U2F Yubikey is a popular choice for businesses and individuals alike. It is a highly secure and convenient way to protect your online accounts. Here’s a breakdown of how the Yubico U2F Yubikey works:
“The truth is some companies are in a lot of pain right now, and they’re having to put out fires while attackers are setting new fires,” she said. “Fixing this problem is not going to be simple, easy or cheap. And there are risks involved if you somehow screw up a bunch of employees accessing the VPN. But apparently these threat actors really hate Yubikey right now.”
news is a contributor at Kaevs Care. We are committed to providing well-researched, accurate, and valuable content to our readers.
Leave a comment