Why “Vishing” is the Bad Word of the Week

As if these times weren’t sufficiently challenging without creative criminals, it’s time for the introduction of a new bad word/cybercrime called –vishing. Late last week, the FBI and the Cybersecurity & Infrastructure Security Agency (CISA) issued an advisory to address a new wrinkle in cybercrime—that of vishing—a problem that has been exacerbated by the large number of people who are working remotely in the COVID-19 environment.

 

Entitled “Cyber Criminals Take Advantage of Increased Telework through Vishing Campaign,” the law enforcement agencies took this step to warn enterprises of the increased presence of voice phishing or vishing activities. These have significantly as ever-larger numbers of employees have been working from remote locations. Specifically, vishing is defined as “any message—such as an email, text, phone call, or direct-chat message—that appears to be from a trusted source, but isn't,” according to the Norton definition.

 

The goal of the sophisticated cybercriminals behind this relatively new twist is to get access to enterprise-sensitive information and then sell that access. With just enough knowledge gained from what the advisory calls “mass scraping of public profiles on social media platforms” to target potential soft targets, these cyber crooks get to work.

 

As is well known in the security world, employees are often the most vulnerable and valuable target for those who wish to perpetrate fraud against a single enterprise. Let alone giant enterprises. For those on a “vishing expedition,” they are the definition of a prime catch.

 

Prior to contacting enterprise insiders, cybercriminals have created fake profiles and spoofed numbers, so that when these masqueraders reach out and touch unsuspecting employees, those initiating the call look legit. That is, to any reasonable employee or contractor. When a call from Ms. X from the enterprise security office comes in (often over a VoIP-based configuration where a number can be spoofed without great hardship), it’s l normally answered. Once the bad guy, masquerading as the good guy, reaches the target recipient, he or she poses carefully scripted questions to the call recipient. As a result, once the caller seems legit, otherwise unsuspecting employees have disclosed seemingly appropriate—but sensitive—information to the bad guys (keywords here are “seem” and “seemingly”).

 

Employees and authorized contractors—particularly those new to the enterprise—are often directly targeted because they have less knowledge about the organization, its inner workings and security practices, and are thus more likely to fall for what seems real. Currently, since many of these employees are working remotely, there is a greater risk that additional security protocols that exist in the actual workplace do not exist at home.

 

In a particularly brazen (and slimy IMHO) move, according to a recent article from former Washington Post reporter and security expert Brian Krebs (see Krebs on Security), a subgroup of “vishermen” is offering to go one step beyond. That is, this group is marketing a service that offers to take information obtained from one-on-one phone calls and combine it with knowledge culled from highly sophisticated phishing sites to actually “steal VPN credentials from employees.” Further, it can pay bounties for such information, and has been used by enterprises—including some very large and well-known entities—to obtain valuable information from competitors’ employees. Thus far, the industries targeted have been financial, telecommunications and social media companies, but like a contagious illness, this technique is likely to spread.

 

With these risks heightened by the pandemic, enterprises are well-advised to make sure that employees, contractors, and guests understand in-house security policies, particularly concerning seemingly random contact from the outside. Additionally, many enterprises have taken the step of periodically sending out test phishing or vishing messages to employees to check their compliance and readiness to respond or not as appropriate.

 

Also, the FBI/CISA Cybersecurity Advisory issued jointly last week includes a number of recommendations for end users to consider the following six tips in this environment:

1. Verify that web links do not have misspellings or contain the wrong domain name.
2. Bookmark the correct corporate VPN URL and avoid alternative URLs simply because a caller who sounds legit suggests one.
3. Be suspicious of unsolicited phone calls, visits, or email messages from unknown individuals claiming to be from what appears to be a legitimate organization. Do not provide personal or enterprise information, including its structure or networks, unless you can be sure of the caller’s authority to give them access. If you're unsure, verify the caller’s information with the company itself.
4. If you receive a vishing call, document the phone number as well as the domain that the caller or contactor tried to send and relay this information to law enforcement ASAP.
5. Limit the amount of personal information posted on social networking sites. How many times have you seen this warning?
6. Evaluate security and privacy settings to make sure that the choices in place remain appropriate.

As always, the best advice is to be ever-vigilant about privacy and in-house data security issues. The bad guys are coming at it from all angles, and the best defense, in this case, is good planning and ongoing monitoring. For additional tips and suggestions on avoiding social engineering and phishing attacks, see this related article, “Avoiding Social Engineering and Phishing Attacks.”