The Evolution of Phishing: Welcome “Vishing”
Post-mortem analysis of data breaches shows that most of today’s cyber-attacks are front ended by phishing campaigns. The most recent CryptoForHealth Twitter Hacker is just one of many examples. This is not surprising, since the easiest way for a threat actor to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even worse if a stolen identity belongs to a privileged user, who has even broader access, and therefore provides the intruder with “the keys to the kingdom”. While paying close attention to established hackers tactics, techniques, and procedures (TTPs) increases an organization’s ability to implement effective cyber defense strategies, businesses need to stay abreast of emerging TTPs. A good example is vishing, which is a new take on an old scam.
By now security professionals are painfully aware of phishing, which uses social engineering tactics to solicit personal information from unsuspecting users. Traditionally, threat actors craft phishing emails to appear as if they have been sent from a legitimate organization or known individual. These emails often attempt to entice users to click on a link that will take them to a fraudulent website that looks authentic. The user may then be asked to provide personal information, such as account usernames and passwords that can further expose them to future compromises. Additionally, these fraudulent websites may contain malicious code.
To exploit that ubiquitous use of smartphones, threat actors have augmented their TTPs and are now delivering their attacks via SMS or direct phone calls. On August 20, 2020 the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint security advisory, warning about an ongoing wave of vishing attacks targeting the US private sector.
Vishing is a form of criminal phone fraud, combining one-on-one phone calls with custom phishing sites. The threat actor’s objective is to persuade the target either to reveal their credentials over the phone or to input them manually at a website set up by the cyber adversary that impersonates the company’s corporate email or virtual private network (VPN) portal.
According to the advisory, the uptick in usage of this TTP is driven by the COVID-19 pandemic, which has resulted in a mass shift to working from home, the widespread use of corporate VPNs, and elimination of in-person verification.
How to Protect Against Vishing
IT security professionals can implement the following proactive measures to protect their organization:
• Security Awareness Training: Incorporate vishing detection education in your overall security awareness training program. This is a good reminder that it is important to frequently update your training content to account to changes in TTPs. Furthermore, augment the training with phishing simulations to gauge your employees’ awareness level and correct their behavior.
• Restrict VPN Connections: Use mechanisms like hardware checks or installed certificates, so user input alone is not enough to access the corporate VPN. Restrict VPN access hours, where applicable, to mitigate access outside of allowed times.
• Employ Domain Monitoring: Track the creation of, or changes to, corporate, brand-name domains.
• Harden Use of MFA: If not yet implemented, enforce multi-factor authentication (MFA) which requires multiple methods for identification (something you know, something you have, and something you are) and therefore is one of the best ways to prevent unauthorized users from accessing sensitive data and moving laterally within the network. If MFA has been implemented, harden your usage by deploying authenticators that support NIST SP 800-63-3 Assurance Level 3. These hardware-based devices (e.g., YubiKey, Titan Security Key) are proven to be a reliable deterrent.
• Apply Least Privilege: Configure access controls — including file, directory, and network share permissions — with least privilege in mind. If a user only needs to read specific files, they should not have write-access to those files, directories, or shares. Gartner has identified Privileged Access Management as one of the Top 10 information security projects over the last two years, since it is an area where organizations can achieve the greatest return on IT security investments.
Ultimately, phishing campaigns are the precursor of credential-based attacks, which are the leading cause of today’s data breaches. Organizations can increase their cyber resilience by aligning their cyber defense strategy based on threat actors’ TTPs. However, as the emergence of vishing illustrates, organizations need to stay vigilant and adapt their strategies in response to changes in their adversaries TTPs.