September 3, 2020

The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a statement regarding an uptick in Vishing Attacks since the Covid-19 pandemic began.

The campaign appears to be very well organized and attacking people indiscriminately. They’re using unattributed VoIP phone numbers and spoofing technology to hose people left and right across the country.

There seems to be a level of commonality in the attacks. The sneaky dickens have been registering look-a-like domains for established services/businesses, creating duplicating the company’s internal VPN login page and capturing the information entered there.

Attackers are even obtaining SSL certificates for the domains they register.

No specific URL’s were given but here’s the basic format:

  • support-[company]
  • ticket-[company]
  • employee-[company]
  • [company]-support
  • [company]-okta

What can a business do to protect itself?

  • Restrict VPN connections to managed devices only, using mechanisms like hardware checks or installed certificates, so user input alone is not enough to access the corporate VPN.
  • Restrict VPN access hours, where applicable, to mitigate access outside of allowed times.
  • Employ domain monitoring to track the creation of, or changes to, corporate, brand-name domains.
  • Actively scan and monitor web applications for unauthorized access, modification, and anomalous activities.
  • Employ the principle of least privilege and implement software restriction policies, or other controls; monitor authorized user access and usage.
  • Consider using a formalized authentication process for employee-to-employee communications made over the public telephone network where a second factor is used to authenticate the phone call before sensitive information can be discussed.
  • Improve 2FA and OTP messaging to reduce confusion about employee authentication attempts.

What can an end-user do to protect themselves?

  • Verify web links do not have misspellings or contain the wrong domain.
  • Bookmark the correct corporate VPN URL and not visit alternative URLs on the sole basis of an inbound phone call.
  • Be suspicious of unsolicited phone calls, visits, or email messages from unknown individuals claiming to be from a legitimate organization. Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information. If possible, try to verify the caller’s identity directly with the company.
  • If you receive a vishing call, document the phone number of the caller as well as the domain that the actor tried to send you to and relay this information to law enforcement.
  • Limit the amount of personal information you post on social networking sites. The internet is a public resource; only post information you’re comfortable with anyone seeing.
  • Evaluate your settings: sites may change their options periodically, so review your security and privacy settings regularly to make sure that your choices are still appropriate.

Like our blog? Subscribe using the CTA in the upper right-hand corner of this page. Feel like sharing your thoughts with us? Use the comment section below.

Don’t forget to follow us on LinkedIn and Twitter

Carl Keyser is a Digital Marketing Specialist at Integris.

Keep reading

Managed IT Services St. Paul: 5 Powerful Advantages for Businesses

Managed IT Services St. Paul: 5 Powerful Advantages for Businesses

As a business owner, it's important to make the most of your resources. This includes finding cost-effective solutions for managing and maintaining your company's technology. Keeping a competitive edge in your industry requires secure, modern tech that allows your...

IT Support Minneapolis: Where to Find Top IT Services in Minneapolis

IT Support Minneapolis: Where to Find Top IT Services in Minneapolis

If you’re wondering where to find top IT services in Minneapolis, it’s important to identify providers that offer a wide range of support, have great service and provide solid tech expertise. Comprehensive technology insight is especially important when it comes to IT...

Webinar: Email Security that Doesn’t Suck…

Webinar: Email Security that Doesn’t Suck…

Trustifi and Security 7 present Email Security That Doesn’t Suck.  In today’s age of over-complicated security tools, it is extremely difficult to manage the fine balance between security and productivity.   {% video_player "embed_player" overrideable=False,...