FBI Warns of Employee Credential Phishing via Phone, Chat

The Federal Bureau of Investigation has issued a Private Industry Notification (PIN) to warn of attacks targeting enterprises, in which threat actors attempt to obtain employee credentials through vishing or chat rooms.

Taking advantage of the COVID-19 pandemic, which has forced the broad adoption of telework, cyber-criminals and threat actors are attempting to exploit possible misconfiguration and lack of monitoring for remote network access and user privileges.

An observed shift in tactics, the FBI says, is the targeting of all employee credentials, not exclusively of those individuals who might have higher access and privileges based on their corporate position.

Cybercriminals were observed employing social engineering to target both US-based and international-based employees of large companies. As part of vishing attacks (voice phishing performed during phone calls) using VoIP platforms, employees were tricked into accessing fake web pages and entering their corporate usernames and passwords.

“After gaining access to the network, many cyber criminals found they had greater network access, including the ability to escalate privileges of the compromised employees’ accounts, thus allowing them to gain further access into the network often causing significant financial damage,” the FBI explains.

In one attack, the Agency says, the cybercriminals found an employee via the company’s chatroom, and then convinced them into logging into a fake VPN page to reveal their credentials.

Using the compromised username and password, the threat actors then logged into the company’s VPN and started searching for employees who had higher privileges. They located an employee who could make username and email changes and used a chat room messaging service to phish for their credentials.

The infamous July 2020 Twitter hack, in which three youngsters gained access to social platform’s internal tools and took control of high-profile accounts, is representative of how such an attack is performed: the cybercriminals called multiple employees to phish for their credentials, until they finally harvested those having the privileges they were looking for.

“The Hackers used personal information about the employees to convince them that the Hackers were legitimate and could, therefore, be trusted. While some employees reported the calls to Twitter’s internal fraud monitoring team, at least one employee believed the Hackers’ lies,” the New York Department of Financial Services said in a report detailing the incident.

To mitigate such attacks, the FBI advises organizations to implement multi-factor authentication (MFA) for employee accounts, adopt the least privilege principle (especially for new employee accounts), actively monitor the environment for unauthorized access or modifications, employ network segmentation, and issue two accounts for admins: one for email and another for making changes to systems.  

“With so many people working from home, they are more likely to fall for this type of vishing scam because they don’t have the protective environment of being in their corporate offices,” James McQuiggan, security awareness advocate at KnowBe4, said in an emailed comment.

“Organizations want to include vishing exercises within their robust security awareness, behaviors, and culture programs to ensure employees are aware of current dangers and can take the appropriate actions to reduce the risk of an attack by unauthorized people,” McQuiggan continued.

Related: The Evolution of Phishing: Welcome “Vishing”

Related: CISA, FBI Alert Warns of Vishing Campaign