Published on the 17/12/2020 | Written by Jonathan Cotton
A spate of strikes shows just how effective voice-based attack vectors can be…
New research shows ‘vishing’ attacks – phone- (or VoIP-)based phishing attacks that use social engineering to nefariously access an organisation’s data – are on the rise.
The most likely targets? Remote workers, says the research from tech security firm Check Point, with disrupted systems and processes proving tempting for would-be confidence tricksters.
“The social distancing demanded by Covid-19 has resulted in many changes to the way we work,” says the tech security firm.
“These attacks specifically target carefully selected users.”
“Massive organisations shifted their structure to accommodate a remote workforce with access to corporate resources via RDP [Remote Desktop Protocol] and VPN connections. This presents many opportunities for vishing operations, as attackers can easily pretend to be a colleague in need of assistance with VPN access, corporate credentials or other company information over the phone.
“Researchers describe coordinated attacks, leasing of American voice actors, set-up of dedicated phishing pages to bypass multifactor authentication mechanism, in campaigns often focusing on corporate new hires.”
According to the research, 81 percent of enterprises have adopted mass remote working for their employees, with 74 percent planning to enable it permanently.
That’s also in line with new numbers from Verizon, which finds phishing is one of the biggest security threats to organisations, accounting for more than 30 percent of all breaches.
“Unlike traditional tax or social security-related scams, these attacks specifically target carefully selected users by gathering extensive information about them from their social media profiles and other publicly-available resources, and choosing employees deemed most likely to cooperate prior to making the call.”
This year has seen its share of high-profile ‘vishing’ attacks. In June, Twitter revealed that it had been attacked, with hackers managing to gain access to 130 accounts, some belonging to high-profile business people, politicians and celebrities.
A security update from the social giant explained how the fraudsters impersonated employees to gain access to the user accounts.
“A successful attack required the attackers to obtain access to both our internal network as well as specific employee credentials that granted them access to our internal support tools. Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes.
“This knowledge then enabled them to target additional employees who did have access to our account support tools.”
Using those credentials, the attackers took over 130 Twitter accounts (including those belonging to Barack Obama, Joe Biden, Jeff Bezos and Elon Musk), tweeting from 45 of them, accessing the DM inbox of 36, and downloading the Twitter data of seven.
Ultimately the hackers used the compromised accounts to promote a bitcoin scam. An investigation by Twitter has revealed that the takeover yielded more than US$100,000. A 17-year-old from Florida has been arrested.
“This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems,” said the company. “This was a striking reminder of how important each person on our team is in protecting our service.”
And Twitter isn’t the only one. Employees at domain registrar GoDaddy fell victim to a phone call phishing attack this year, handing over control of cryptocurrency service sites NiceHash and Liquid to malicious actors.
“This gave the actor the ability to change DNS records and in turn, take control of a number of internal email accounts,” said Liquid CEO Mike Kayamori of the breach. “In due course, the malicious actor was able to partially compromise our infrastructure, and gain access to document storage.”
While Liquid ultimately regained control of the compromised accounts, the company says the hackers had access to customer emails, names, addresses and encrypted passwords.
“We are continuing to investigate whether the malicious actor also obtained access to personal documents provided for KYC such as ID, selfie, and proof of address, and will provide an update once the investigation has concluded.”