Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

FBI Warns of Employee Credential Phishing via Phone, Chat

The Federal Bureau of Investigation has issued a Private Industry Notification (PIN) to warn of attacks targeting enterprises, in which threat actors attempt to obtain employee credentials through vishing or chat rooms.

The Federal Bureau of Investigation has issued a Private Industry Notification (PIN) to warn of attacks targeting enterprises, in which threat actors attempt to obtain employee credentials through vishing or chat rooms.

Taking advantage of the COVID-19 pandemic, which has forced the broad adoption of telework, cyber-criminals and threat actors are attempting to exploit possible misconfiguration and lack of monitoring for remote network access and user privileges.

An observed shift in tactics, the FBI says, is the targeting of all employee credentials, not exclusively of those individuals who might have higher access and privileges based on their corporate position.

Cybercriminals were observed employing social engineering to target both US-based and international-based employees of large companies. As part of vishing attacks (voice phishing performed during phone calls) using VoIP platforms, employees were tricked into accessing fake web pages and entering their corporate usernames and passwords.

“After gaining access to the network, many cyber criminals found they had greater network access, including the ability to escalate privileges of the compromised employees’ accounts, thus allowing them to gain further access into the network often causing significant financial damage,” the FBI explains.

In one attack, the Agency says, the cybercriminals found an employee via the company’s chatroom, and then convinced them into logging into a fake VPN page to reveal their credentials.

Using the compromised username and password, the threat actors then logged into the company’s VPN and started searching for employees who had higher privileges. They located an employee who could make username and email changes and used a chat room messaging service to phish for their credentials.

The infamous July 2020 Twitter hack, in which three youngsters gained access to social platform’s internal tools and took control of high-profile accounts, is representative of how such an attack is performed: the cybercriminals called multiple employees to phish for their credentials, until they finally harvested those having the privileges they were looking for.

Advertisement. Scroll to continue reading.

“The Hackers used personal information about the employees to convince them that the Hackers were legitimate and could, therefore, be trusted. While some employees reported the calls to Twitter’s internal fraud monitoring team, at least one employee believed the Hackers’ lies,” the New York Department of Financial Services said in a report detailing the incident.

To mitigate such attacks, the FBI advises organizations to implement multi-factor authentication (MFA) for employee accounts, adopt the least privilege principle (especially for new employee accounts), actively monitor the environment for unauthorized access or modifications, employ network segmentation, and issue two accounts for admins: one for email and another for making changes to systems.  

“With so many people working from home, they are more likely to fall for this type of vishing scam because they don’t have the protective environment of being in their corporate offices,” James McQuiggan, security awareness advocate at KnowBe4, said in an emailed comment.

“Organizations want to include vishing exercises within their robust security awareness, behaviors, and culture programs to ensure employees are aware of current dangers and can take the appropriate actions to reduce the risk of an attack by unauthorized people,” McQuiggan continued.

Related: The Evolution of Phishing: Welcome “Vishing”

Related: CISA, FBI Alert Warns of Vishing Campaign

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...