The first wave of pandemic-related phishing attacks targeted vulnerable employees and consumers. There were attacks that used home delivery services and attacks that used travel-related services. There were attacks on spoofed resumes and attacks on the SBA’s Office of Disaster Assistance. Now hackers have moved on to the gainfully employed by attacking the virtual private networks (VPN) that remote workers use to connect to the office while working remotely.
Both the FBI and the CISA (Cybersecurity and Infrastructure Security Agency) have issued a joint warning about vishing attacks on VPNs according to We Live Security. It’s a perfect logical target for hackers, as many are first time remote workers, who may not be familiar with using VPNs and the companies they work for may not yet have the proper cyber defenses in place for a distributed workforce.
According to the advisory, “Since around mid-July cybercriminals have been able to steal login details into employee tools at a number of companies. As part of the campaigns, the black hats created phishing websites that duplicated or resembled the internal VPN login pages of various companies, obtained Secure Socket Layer (SSL) certificates for their domains and gave them various names that use a combination of the company’s name and hyphen and words such as support or employee.”
The interesting thing about these attacks is that they are vishing attacks, or voice phishing attacks. That means the attack starts with a phone call using a VOIP (voice over IP) phone. Vishing often plays a major role in social engineering. In this case “the fraudsters impersonated IT help desk workers and used the information from their dossiers to gain the victims’ trust. From there, the attackers convinced the targets that they would receive a new VPN link that would require their login, including two-factor authentication (2FA) or a one-time password (OTP).”
This is an important part of the scam. With most VPNs you cannot login without 2FA or OTP so the hackers must set up a phishing site to capture these login credentials, which they’ve done.
With a scam this elaborate, in which the hacker is willing to call you and convince you they’re from the support, how are employees supposed to protect themselves? The answer is they can’t, but technology can. Technology like Phishing Protection available from DuoCircle.
No matter how sophisticated the ruse, all phishing attacks come down to one thing: getting the victim to click on a link they shouldn’t, and that’s where Phishing Protection comes in. Phishing Protection ignores all the social engineering and slight-of-hand and focuses only on the links and where they point to. And if any link point somewhere dangerous, Phishing Protection keeps you from reaching that site.
How does Phishing Protection do that? It sits between you and all the sites you visit and in essence visits them first to make sure they’re okay. It can do that because it’s a cloud-based service. And since it’s cloud-based, it also means there’s no hardware or software to buy and it sets up in about 10 minutes.
If you worried about your first-time remote workers and attacks on your VPN, checkout Phishing Protection. It costs only pennies per employee per month and you can try it free for 60 days.