The pandemic seems to be far from over. However, despite newer strains resurfacing every now and then, corporate houses are still maintaining their stance towards remote employment, in an effort to keep productivity intact. Besides, it is expected that work from home, as the new professional culture, will persist till further notice, owing to the current state of the economy, safety concerns, and the presumed resurgence of the pandemic.
Sounds scary, right!
However, corporates have bigger problems to deal with and Covid-19 is actually the least of their worries in 2021. In an era where online scams and cyberattacks have become organizational commonplaces, we might have just evoked yet another threat in the form of Vishing. Touted as one of the latest cyber threats to emerge, Vishing, unlike a standard hacking technique, taps into voicemail messages and phone calls.
Therefore, if you thought that going verbal will save you from the prying attackers, Vishing might just have shattered your aspirations. With Vishing being added to the list of cybersecurity anomalies, it is more than appropriate to talk about the nature, scope, and potency of the attacks. This is what our subsequent discussions aim at as we dissect the anatomy of a standard yet sophisticated attack, whilst enlisting the strategies that business can rely on for staying protected.
A Bit More about Vishing
Vishing campaigns or rather Voice-controlled phishing attacks are on the way up, as reported recently by the CISA. While Vishing was already around, albeit, in moderation, it has recently started spreading its wings and moving rapidly towards the corporate sectors.
The reason for this emboldened approach, on the part of the cybercriminals, happens to be the increased remote working posture, as adopted by the companies in the wake of the global emergency. As home-based setups aren’t as secure as the office workstations, the attackers showed increasingly higher levels of interest in implementing Vishing as the preferred mode of invasion.
Moreover, as reported by the Cybersecurity Advisory report, Voice-based phishing attacks have started taking ominous forms, with most attackers targeting phone calls for stealing credit card details and banking credentials.
Therefore, if you suddenly end up getting a query call from the IRS, refrain from sharing the SS number or medical insurance details, as the call might very well be a part of a targeted scam.
‘Vishing’ keeps the Core Phishing Concept Intact
Despite Vishing evolving into a more coordinated form of cyber-attack in 2021, it still adheres to the core concept of phishing. Therefore, the main emphasis of the attackers will always be on acquiring information relevant to financial gains.
But, how are the attackers even getting past the security patches and installed VPNs that are being used extensively by the remote workforce in this work-from-home era?
The answer is ingenuity. Attackers off-late, have become way more inventive, with myriad financial gains, albeit unscrupulous, being the motivation behind the whetted skills. They are constantly chalking out devious strategies for bypassing VPN encryption and getting access to the private networks encapsulated within. This way, it becomes possible to access corporate resources and the voice-based approach only makes the hack more believable.
Vishing Attack in Detail: The Anatomy
Provided you are still confused as to how these attacks are even initiated, here is a detailed analysis of a standalone attack, involving the said steps and common actions.
Reconnaissance
The first step involves detailed investigations where the attackers zero in on a company and start devising steps to infiltrate the workforce sanctity. However, this phase involves a pretty standard set of regulated actions:
- Dossier compilation where attackers handpick victims by scraping their media handles.
- Once the vulnerability is determined, it becomes easier to create the dossier and hackers enlist possible information about the employee to get a better understanding of this role and position in the firm
- Most importantly, the research and profiling is as extensive as it can get
Trap Ideation
Once the reconnaissance phase is out of the way, attackers spend a considerable amount of time designing the trap. In most cases, this concerns duplicating the VPN page of the concerned company, so as to dupe the targeted employee into logging in via the duplicated page.
This trap is supposed to reveal the login-credentials and capture the same whilst getting the hold of the concerned 2FA token. Once done, the attacker quickly plans on circumventing the VPN security and get access to confidential data that are mostly transactional in nature.
Trap Execution
After getting hold of the confidential details, comes the call. Attackers use specialized cell phones to connect with employees on their personal numbers, camouflaging themselves as corporate IT technicians. A serious security concern is reported and if the employee sniffs and pushes back with rhetoric, the attacker, posing as the technician raises the voice and often puts forth the company interests in a cajoling tone.
However, there are a few additional steps that Vishing hackers usually resort to, for making the attacks look like a standard security-centric query.
- Employee trust is gained by projecting information as collected in the dossier, during the reconnaissance phase. Once the employee is convinced, hackers send over the duplicated VPN link, masked as a patch update.
- Once the employee logs in, the details are automatically forwarded, making scavenging easier for the hackers.
Note: Then again, if you are planning to minimize your social media exposure to thwart the reconnaissance phase, you might not always be successful. The work from home culture allows attackers to reach you via other smart and internet-connected devices. For instance, if you have a streaming device on you, i.e. a Roku or even an Amazon Fire TV Stick, attackers can hack into the home network if and when you try to install a third-party application onto the streamer.
The best way to immunize the home-bound setup is by setting up a VPN on Firestick or any other device you are using. This approach minimizes the emergence of Vishing threats via botnet and Shadow IoT attacks.
Extraction
The last phase of a Vishing attack involves honey extraction. During this phase, the attackers use the VPN access for a certain period, to access the company database and records. While some hackers might choose to launch a full-fledged Ransomware attack at this stage, some resort to data exfiltration.
How to Stay Protected?
With several companies planning to opt for the WFH setup till further notice, it becomes all the more important to protect credentials and databases from large-scale Vishing attacks. Here are some of the more doable strategies that companies and employees can adopt, to stay ahead of the attackers:
- Launch extensive training campaigns for educating employees about nature and modus operandi of the Vishing attacks
- Robocall blocking should be one of your priorities and you can even opt for a secure line of interaction for the employees to connect with the technicians
- Multi-factor authentication is the key to a secured setup
- Implementing relevant software restriction pointers
- Monitoring internet usage and user access at all times
- Restricting company-powered VPN access to corporate devices only
- Resorting to frequent hardware checks and VPN certificate inspections
- Opting for auto-resetting activity times
- Employee re-authentication after a few hours
- Restricting VPN usage
- Lending Domain monitoring support
- Not using streaming devices and IoT solutions on the same wireless network as the workstation
- Timely monitoring, scanning, and alerting, against modifications and unauthorized access
Bottom-Line
Vishing attacks are here to stay, as corporate firms aren’t going to shy away from the work-from-home approach, anytime soon. However, now that we are aware of the anatomy of an attack and even the preventive measures, we can deploy strategies to keep these threats at a fair distance. Then again, regardless of the approaches we follow, concerning awareness building, phish testing, and policy governance, hackers are always expected to find newer ways to attack.
Therefore, it is necessary to be proactive whilst managing resources with an eye open for sudden invasions.