The FBI and the U.S. Cybersecurity and Infrastructure Security Agency on Thursday warned the private sector of a “voice phishing” campaign in which cybercriminals call up corporate employees to get them to hand over login credentials.
In a campaign that began in mid-July, unidentified attackers used stolen credentials to scour corporate databases for personal information they could monetize and use in other attacks, the FBI and CISA alert said. In some cases, the attackers “posed as members of the victim company’s IT help desk, using their knowledge of the employee’s personally identifiable information…to gain the trust of the targeted employee,” the advisory says.
The warning caps a month in which cybercriminals have been rampantly employing “vishing,” as the voice phishing technique is known, to try to steal money. The attackers who took over celebrity Twitter accounts in July to mine bitcoin did so through “vishing.” Florida police arrested a 17-year-old and charged two others in connection with the hacking.
In the last month, dozens of companies, from cryptocurrency exchanges to banks, have been targeted through vishing, Wired reported. The attackers appear to be young and English-speaking and conferring with themselves on forums, according to the report. That activity appears to have prompted the federal advisory Thursday.
The advisory describes an intricate level of planning by the perpetrators: They are not only calling their victims, but also setting up mock virtual private network login pages — exploiting the fact that corporate employees continue to work from home because of the coronavirus.
The FBI and CISA told companies to consider instituting a formal process for validating the identity of employees who call each other.
ZDNet was first to report on the alert.