Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Phishing

The Evolution of Phishing: Welcome “Vishing”

Post-mortem analysis of data breaches shows that most of today’s cyber-attacks are front ended by phishing campaigns. The most recent CryptoForHealth Twitter Hacker is just one of many examples. This is not surprising, since the easiest way for a threat actor to gain access to sensitive data is by compromising an end user’s identity and credentials.

Post-mortem analysis of data breaches shows that most of today’s cyber-attacks are front ended by phishing campaigns. The most recent CryptoForHealth Twitter Hacker is just one of many examples. This is not surprising, since the easiest way for a threat actor to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even worse if a stolen identity belongs to a privileged user, who has even broader access, and therefore provides the intruder with “the keys to the kingdom”. While paying close attention to established hackers tactics, techniques, and procedures (TTPs) increases an organization’s ability to implement effective cyber defense strategies, businesses need to stay abreast of emerging TTPs. A good example is vishing, which is a new take on an old scam.

By now security professionals are painfully aware of phishing, which uses social engineering tactics to solicit personal information from unsuspecting users. Traditionally, threat actors craft phishing emails to appear as if they have been sent from a legitimate organization or known individual. These emails often attempt to entice users to click on a link that will take them to a fraudulent website that looks authentic. The user may then be asked to provide personal information, such as account usernames and passwords that can further expose them to future compromises. Additionally, these fraudulent websites may contain malicious code.

To exploit that ubiquitous use of smartphones, threat actors have augmented their TTPs and are now delivering their attacks via SMS or direct phone calls. On August 20, 2020 the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint security advisory, warning about an ongoing wave of vishing attacks targeting the US private sector. 

Vishing is a form of criminal phone fraud, combining one-on-one phone calls with custom phishing sites. The threat actor’s objective is to persuade the target either to reveal their credentials over the phone or to input them manually at a website set up by the cyber adversary that impersonates the company’s corporate email or virtual private network (VPN) portal. 

According to the advisory, the uptick in usage of this TTP is driven by the COVID-19 pandemic, which has resulted in a mass shift to working from home, the widespread use of corporate VPNs, and elimination of in-person verification.

How to Protect Against Vishing

IT security professionals can implement the following proactive measures to protect their organization:

• Security Awareness Training: Incorporate vishing detection education in your overall security awareness training program. This is a good reminder that it is important to frequently update your training content to account to changes in TTPs. Furthermore, augment the training with phishing simulations to gauge your employees’ awareness level and correct their behavior. 

Advertisement. Scroll to continue reading.

• Restrict VPN Connections: Use mechanisms like hardware checks or installed certificates, so user input alone is not enough to access the corporate VPN. Restrict VPN access hours, where applicable, to mitigate access outside of allowed times.

• Employ Domain Monitoring: Track the creation of, or changes to, corporate, brand-name domains.

• Harden Use of MFA: If not yet implemented, enforce multi-factor authentication (MFA) which  requires multiple methods for identification (something you know, something you have, and something you are) and therefore is one of the best ways to prevent unauthorized users from accessing sensitive data and moving laterally within the network. If MFA has been implemented, harden your usage by deploying authenticators that support NIST SP 800-63-3 Assurance Level 3. These hardware-based devices (e.g., YubiKey, Titan Security Key) are proven to be a reliable deterrent. 

• Apply Least Privilege: Configure access controls — including file, directory, and network share permissions — with least privilege in mind. If a user only needs to read specific files, they should not have write-access to those files, directories, or shares. Gartner has identified Privileged Access Management as one of the Top 10 information security projects over the last two years, since it is an area where organizations can achieve the greatest return on IT security investments.

Ultimately, phishing campaigns are the precursor of credential-based attacks, which are the leading cause of today’s data breaches. Organizations can increase their cyber resilience by aligning their cyber defense strategy based on threat actors’ TTPs. However, as the emergence of vishing illustrates, organizations need to stay vigilant and adapt their strategies in response to changes in their adversaries TTPs.

Written By

Dr. Torsten George is an internationally recognized IT security expert, author, and speaker with nearly 30 years of experience in the global IT security community. He regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege for Dummies book. Torsten has held executive level positions with Absolute Software, Centrify (now Delinea), RiskSense (acquired by Ivanti), RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Phishing

The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...

Fraud & Identity Theft

Famed hacker Kevin Mitnick has died after a battle with pancreatic cancer.  At the time of his death, he was Chief Hacking Officer at...

Cybercrime

Enterprise users have been warned that cybercriminals may be trying to phish their credentials by luring them with fake emails that appear to be...

Phishing

The Single Most Important Part of Dealing with a Phishing Attack is Preparing for the Attack Before it Actually Happens.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Cybercrime

A threat actor tracked as ‘Scattered Spider’ is targeting telecommunications and business process outsourcing (BPO) companies in an effort to gain access to mobile...

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...