The US Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are warning businesses about a voice phishing (vishing) scam that targets employees working from home. Cybercriminals are using this scam to steal virtual private network (VPN) login credentials, which they use to access company networks and steal data or money. By understanding how this VPN vishing scam works, you can better protect your business.
How the Scam Works
With the help of companies that have been victimized, the FBI and CISA have pieced together how the VPN vishing scam typically works. The cybercriminals begin by making preparations. After choosing a business to target, they register a domain using the company’s name. They follow naming schemes like
where [company] is the name of the targeted business. The scammers then duplicate the target company’s VPN login page, paying attention to details. For example, if two-factor authentication is used, that feature is included the spoofed VPN login page. The scammers even obtain a Secure Sockets Layer (SSL) certificate so that it is an HTTPS site. This is a common trick of the trade — more than three quarters of all phishing sites are HTTPS sites. Cybercriminals know that some people assume a site is safe when they see the “https” designation and the accompanying padlock icon in their web browser’s address bar. However, the “https” designation simply indicates that any data sent between the browser and the website is encrypted. It does not signify that the site is legitimate or safe.
Next, the scammers compile information on the target company’s employees, including their names, home addresses, personal phone numbers, company positions, and job tenure. This is accomplished by scouring public profiles on social media sites like LinkedIn and Facebook, taking advantage of publicly available background check services, using recruiter and marketing tools, and conducting other types of research. From this information, they are able to glean which employees telecommute to work. The scammers also use this information to personalize the conversations they will have with the remote employees.
After the preparations are done, the vishing begins. At first, the scammers call the telecommuters on their personal phones using unattributed Voice over Internet Protocol (VoIP) numbers. Besides making sure they have the correct phone numbers, the cybercriminals often try to learn more information about the company, such as its hierarchy or the business lingo used. The latter is important. When scammers use the terms and acronyms that the employees are accustomed to hearing, the employees are more apt to believe the scammers and do what they ask, according to social engineering experts.
The scammers then carry out the main vishing attack. In this attack, two cybercriminals work in tandem. One of the scammers calls a remote worker, pretending to be another employee such as a member of the company’s IT help desk. The impersonator often uses caller ID spoofing to help convince the telecommuter that the call is legitimate. Similarly, the impersonator sprinkles tidbits of information about the remote employee and the company into the conversation to gain the employee’s trust.
At this point, the scammer starts spinning a story designed to get the remote worker to enter his or her credentials into the spoofed VPN login page. If the remote employee falls for the scam, the second cybercriminal immediately enters the stolen credentials in the real VPN page. That way, if a two-factor authentication or one-time password system is being used, the cybercriminal will be able to get past that layer of protection. (Typically, the one-time codes generated for two-factor authentication and one-time passwords are only good for a short period of time.) Once the cybercriminal gains access to the company’s network through the VPN, he or she carries out other cyberattacks, such as stealing data to sell on the dark web.
If the remote worker does not fall for the scam, the two cybercriminals simply move on to a different telecommuter in that company. Unsuccessful attempts help the scammers refine their social engineering approach, according to cybersecurity researchers.
It is important to note that while this is the typical way cybercriminals carry out the vishing scam, variations exist. For example, in a few cases, the FBI and CISA found that two-factor authentication codes and one-time passwords were obtained through SIM swapping rather than the spoofed VPN site. In SIM swap scams, hackers hijack a victim’s mobile phone by tricking the mobile carrier into activating a new SIM card for it.
How to Avoid Becoming a Vishing Victim
The specific measures that businesses should take to protect against the VPN vishing scam will depend on several factors, such as their current authentication system, which VPN they use, and how many employees telecommute to work. Contact us for specific recommendations for your company.