Phishing attacks and other online scams designed to steal employee credentials have become increasingly common for people working from home during the pandemic. However, a group of cybercriminals is taking their phishing attacks to the next level by using a voice phishing service that combines phone calls to potential targets with custom phishing sites to steal remote workers' VPN credentials. As Krebs On Security reported, the cybercriminals behind this new campaign have a remarkably high success rate and operate through paid or "bounty" solicitations in which their dark web clients seek access to businesses or accounts. specific. Over the past six months, the group has created custom phishing pages targeting some of the world's largest companies, though its primary focus is organizations in the finance, telecommunications and social media industries.
vishing attacks
A vishing attack typically begins when cybercriminals make a series of phone calls to employees working remotely at a targeted organization. The attackers say they are calling from the organization's IT department to try to help fix problems with the company's VPN. The ultimate goal of the campaign is to convince a remote worker to reveal her credentials over the phone or by manually entering them into one of the attacker's phishing websites designed to mimic her legitimate website. organization. According to ZeroFox's director of threat intelligence, Zack Allen, attackers often target new hires and even create fake LinkedIn profiles to make their vishing attempts appear more legitimate. Typically, in one of these attacks, two cybercriminals work together, one talking on the phone with a potential target while the other tries to connect to the target company's VPN using the leaked credentials. Even if attackers fail in their attempts, they still gain valuable information about an organization that they can then use in their next attack on another company employee. Vishing has deteriorated so badly during the pandemic that the FBI and CISA recently issued a joint security advisory warning organizations and their remote workers of the potential threat. In the same way that you should never give out your credentials over email, the same can be said when someone calls you on the phone asking for them. At the same time, it's highly unlikely that your organization's IT department will call you on the phone asking for the credentials you probably already have.- Also check out our full list of the best VPN services.