Remote Workers Face Rise in Vishing Attacks
November 2020 by Check Point
Security researchers at Check Point Research are warning of increasing vishing (voice phishing) attacks targeting remote workforces, with the aim of getting a person to share login credentials or sensitive data. During the phone call, attackers imitate company representatives, often from finance, HR, IT or legal departments, and use social engineering techniques to trick victims into sharing account credentials or banking information. Attackers then use the information to steal the victim’s funds and/or deliver destructive malware.
The warning from Check Point researchers follows a joint advisory from Cybersecurity and Infrastructure Security Agency (CISA) and the FBI, warning of a wave of vishing attacks targeting private sector companies in the US. According to the advisory, threat actors typically call employees working from home to collect login credentials for corporate networks, which they later monetize by selling the access to other groups.
Recently, researchers at CPR were asked to investigate two vishing attacks against employees at an international corporation. The corporation received a total of 6 vishing phone calls within three months. Two of those phone calls are detailed below to better educate remote workers on the nature of vishing attacks.
The First Call
An attacker called the company’s technical support center via a publicly available number, requesting to speak with a representative. The attacker introduced herself as an existing company employee, whose appearance matched the caller’s accent. During the call, the attacker requested the phone number of two other employees – both of them real company employees. The request was polite and accompanied by a spelling of the name, and shortly after that, the caller suggested the recipient install TeamViewer – a remote control application – allegedly to help the recipient locate the desired phone number. We can assume that the caller was carefully selected to match the description of the employee used as cover, and that the attackers verified that the employee was still working at the company.
Based on the area code, it appeared that the call originated from Miami. After further investigation, we discovered that the same phone number had been used and reported as phishing by users in Europe – the UK, Poland and Bulgaria as well as South Asia (Singapore, the Philippines and Japan). Individuals reported that callers from the same number asked for contact details of fellow employees. In total, the phone number was requested 95 times in the past 120 days.
The Second Call
Similarly to the above incident, the attacker reached out to the company’s technical support center via a publicly available number, requesting to speak with a representative. In this case, the attacker shared a boarder cover story, involving a major telecommunication company. In return, the representative was more suspicious then before. This time, she used a phone number with no known spam reports found online, affiliated to San Francisco. Below is a partial transcription of the call. All names have been replaced to protect the targets’ identity.
Lotem Finkelsteen, Manager of Threat Intelligence at Check Point said: “Vishing attacks are a growing cyber threat, alongside conventional phishing. The direct nature of the vishing call means the attacker controls the information channel and puts additional pressure on the target. We’re seeing that more and more multi-staged cyber-attacks are incorporating vishing calls as part of their infection chains, for a number of reasons. One, vishing attacks help hackers in their reconnaissance phase, where they can learn more about their targets. Second, vishing attacks deepen the phishing phase, as combining a call with an SMS message deepens the deception, for example. Third, vishing attacks become the core of major cyber-attacks, such as deceiving victims to handover 2FA codes sent over SMS, or grant access to a certain system, which is what happened in the Twitter account hijacking earlier this year. Remote workers everywhere should learn to not overshare and to verify the authenticity of whoever they find themselves on the phone with.”
How to protect against vishing attacks
1. Don’t overshare. Unless you are absolutely certain to whom you’re speaking to, never give out personal information over the phone, especially monetary details of payment
2. Verify authenticity. If you are uncertain with the identity of the caller, ask for their number and call them back. While still on the phone, look for their number in the internet to verify authenticity
3. No wire transfers to unknowns. Never agree to conduct wire transfers or "virtual" payments to callers you do not know.
4. Stay educated. Knowledge and education are key. The more alert you are to these types of scams, the less likely you are to fall victim to them
5. Hang up. Hanging up on suspicious or unverified calls is never rude or a bad habit.
6. Report suspicious activity. Make it a point to report suspected calls or fraud attempts to your bank as soon as possible.