FBI Warns About Corporate Accounts Credentials Stealing Via Vishing Attacks

The FBI (Federal Bureau of Investigation) has released a warning notification about the actively ongoing vishing attacks that aim to gain corporate account login credentials for privilege escalation from employees and accessing their network. A vishing attack is a social engineering attack in which the victim is tried to trick in and give in confidential data like account details or login credentials over a call or phone, it generally includes the manipulation of emotions such as fear, greed, sympathy, etc. and is also known as voice phishing.

A Private Industry Notification which was released on Friday indicated that the bad actors are using VoIP (Voice over Internet Protocol) stage to attack employees of companies around the globe, irrespective of their designation. The PIN explains that “Cyber criminals are focusing their operations to target employees of companies worldwide who maintain network access and an ability to escalate network privilege. During COVID-19 shelter-in-place and social distancing orders, many companies had to quickly adapt to changing environments and technology. With these restrictions, network access and privilege escalation may not be fully monitored. As more tools to automate services are implemented on companies’ networks, the ability to keep track of who has access to different points on the network, and what type of access they have, will become more difficult to regulate.”

The subject employees are fooled and asked to log in to the phishing webpage and as the user logins, their usernames with passwords are extracted by the attacker. Once the attacker gets the login credentials, it gains control over the network which permits them to increase privileges over employees using the breached accounts. This access further permits them to gain control over larger sophisticated significant networks of organization, compromising which, the attackers serve financial loss. The report mentioned “The cybercriminals were looking for employees who could perform username and e-mail changes and found an employee through a cloud-based payroll service. The cybercriminals used a chatroom messaging service to contact and phish this employee’s login credentials.”

Since the pandemic has started, this is the second warning that the FBI has issued after viewing the increased number of vishing attacks. A previous warning was released jointly by the FBI and the CISA (Cybersecurity and Infrastructure Security Agency) in August 2020, which warned about the vishing attack workers working remotely and their main targets are organizations of various US industrial sectors. The attacks that took place around August, included attackers creating malicious fake mirrored websites that look exactly similar to the companies VPN login pages. Tricking employees in this manner allowed them to gain OTPs and pass multi-factor authentication. This event led the attackers to take control over the mobile phones of the targeted employee and easily bypass the multi-factor authentication or OTPs, which also made the SIM swap attacks possible.

The released report shared a few alleviation recommendations for the employees and their companies to mitigate such vishing attacks (voice phishing attacks). The recommendations are:

• Implement multi-factor authentication (MFA) for accessing employees’ accounts in order to minimize the chances of an initial compromise.

• When new employees are hired, network access should be granted on the least privilege scale. Periodic review of this network access for all employees can significantly reduce the risk of compromise of vulnerable and/or weak spots within the network. 

• Actively scanning and monitoring for unauthorized access or modifications can help detect a possible compromise in order to prevent or minimize the loss of data.

• Network segmentation should be implemented to break up one large network into multiple smaller networks which allow administrators to control the flow of network traffic.

• Administrators should be issued two accounts: one account with admin privileges to make system changes and the other account used for email, deploying updates, and generating reports.

If you like this article, follow us on Twitter, Facebook, Instagram, and Linkedin.