Information theft tactics are becoming more sophisticated; cybercriminals are on the lookout for extracting information. Learn about vishing and how to avoid it.
Since the beginning of the COVID-19 pandemic; companies have been forced to surrender certain security standards when implementing telework. These standards include personal verification of the worker’s identity, as well as the use of VPNs to access important information stored in company databases. Therefore; the Federal Bureau of Investigation (FBI) and the Infrastructure Security and Cybersecurity Agency (CISA) have jointly issued an alert, to warn about the imminent threat of vishing; especially directed to companies, and their teleworking modality.
Likewise; St. Paul University Quezon City, in its article on “the cyber-pandemic” points out that political efforts to stop cyber-attacks have not been successful. Therefore, cyber-criminals have taken advantage of the increasing amount of time that workers spend online to perpetrate their attacks.
What is Vishing?
Vishing has been a wave of email attacks that target employees of teleworking corporations; in order to trick them into making a profit from the access. The way in which these criminals carry out these attacks is through a combination of individual calls and Web pages created with the aim of committing vishing.
These criminals make individual phone calls; supplanting the organization’s IT service workers, focusing mainly on new social engineering recruits. They can also mix this technique with others such as smishing, which uses text messages where they anchor links to malicious websites; email addresses or phone numbers.
According to the security organizations mentioned above; the group of perpetrators use unattributed Internet Protocol (VoIP) voice numbers to call workers on their personal cell phones; and then incorporate fake numbers from other offices and employees in the victim company. Due to the theft of employees’ personal information; this cyber-criminal organization used personal data such as name, position, time spent at the company; and the home address of other employees of the victim organization.
This was done in order to build trust with the employees, and then convince the target to send a new VPN link and require them to log in; including any 2FA or OTP. The author records the information provided by the employee and uses it in real time to access the company’s tools using the employee’s account. In some cases; unsuspecting employees approve of the 2FA or OTP, either accidentally or believing it was the result of previous access granted to the help desk copycat. Perpetrators use the information obtained to carry out future attacks.
Vishing and health companies
On March 23, 2020; the Digital Watch website reported that Hammersmith Medicines Research, a British company that had been testing the Ebola vaccine and is awaiting medical trials of any COVID-19 vaccine; was attacked so that criminals managed to exfiltrate patient record; and posted some of them online.
The World Health Organization (WHO) warned about suspicious emails trying to take advantage of the COVID-19 emergency by stealing money and sensitive information by posing as part of the WHO. According to the BBC news website; on June 1, a group of hackers known as netwalkers extorted more than $1 million from a U.S. university that was researching the COVID-19 vaccine. This attack was carried out on the dark web; where they threatened to publish student files and other internal university information. Cyber security experts say that this type of fraudulent negotiations are being carried out all over the world; sometimes for larger sums of money, which breaks the advice of security organizations such as the FBI or Europol.
Some tips for care against vishing
The aforementioned article; written by St. Paul University Quezon City, included a series of tips that can be implemented to reduce the threat of these vishing attacks; which reflect the following:
For the user:
- Secure your home network.
- Manage your social network profiles.
- Verify privacy settings.
- Back up your files, both online and offline, in a secure manner.
- Avoid opening or deleting suspicious emails and attachments.
- Beware of unsolicited phone calls or emails from people asking about employees or other classified information.
- Do not use your personal data in suspicious COVID-19 emails and messages or information about your organization, including its structure or networks, unless you have checked and are sure of the source.
- Learn about COVID-19 from trusted government and other legitimate websites.
- Do not disclose personal or organizational information in e-mail.
- If you plan to donate funds to a charitable cause, make sure the campaign you wish to donate to is legitimate.
- Don’t send sensitive information over the Internet before checking the security of a website. Pay attention to the URL and make sure it starts with Http(s) as this shows the website is secure, or look for the lock icon before the URL as this indicates that your information will be encrypted.
- Contact your company if you are concerned that an email that has been sent is false.
- Install and keep updated good antivirus software, firewalls and email filters to reduce some of these malicious emails.
- Use strong passwords, using uppercase, lowercase, numbers; and special characters.
Tips for the administrator:
- Keep the server operating system and any software that may be running on your website update, as this is important for keeping your site safe.
- Use a good password that can protect the security of all user accounts in the organization.
- Avoid uploading files that may contain a script, which when executed on your server will completely open your website.
- Use HTTPS which is a protocol used to provide security over the Internet.
- Get website security tools, such as penetration testing.
- Prepare and update an incident response plan and a computer security policy.
The Federal Bureau of Investigation (FBI) and the Infrastructure Security and Cybersecurity Agency (CISA); also have a series of tips to mitigate attacks; some are:
Advice for the organization:
- Restrict VPN connections only to managed devices, using mechanisms such as hardware checks or installed certificates.
- Restrict VPN access hours, so as to deny suspicious access outside established hours
- Monitors domains to track the creation or change of new domains.
- Keep a constant eye on web applications to detect unauthorized access, modifications or strange activities.
- Consider using an authentication process for employee-to-employer communications over the public telephone network, where a second factor is used to authenticate the phone call before confidential information can be discussed.
Tips for the end user:
- Check that the links received are not misspelled or contain the wrong domain.
- Mark the correct corporate URL on the VPN and do not visit alternative URLs that have been indicated to you by a phone call.
- Be suspicious of unsolicited phone calls or emails from people claiming to be from a legitimate company. Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of the identity of the person requesting it. If possible, try to verify the identity of the caller directly with the company.
- If you receive a vishing call, document the caller’s phone number, as well as the domain he tried to send you, and send this information to the authorities.
- Limit the amount of personal information you post on social networking sites.
- Evaluate your settings constantly, as some pages may change these security settings. Therefore; make sure the settings you set are comfortable for you.