Cyber-attacks in the current scenario have shifted to a new take on an old method, also referred to as the Vishing attack
Phishing campaigns have spearheaded the data breach attacks on enterprises. The latest CryptoForHealth Twitter Hacker was yet another example of the same. CIOs are not surprised by this modus operandi as it is common for threat actors to used compromised users’ credentials and identity to gain illegal access to sensitive data.
The attack becomes even more severe when compromised credentials belong to a privileged end-user. Such users have varied and broad access that provides hackers with literal “Kingdom Keys.”
Organizations monitor the already established tactics, techniques, and procedures (TTPs) followed by hackers to ward off potential attacks. It is imperative that organizations also pay attention to upcoming TTPs. This includes vishing attacks, a new face to an old strategy.
A majority of security personnel are already aware of phishing attacks. It consists of hackers deploying social engineering methods to harvest personal information from naïve users.
Most of these malicious actors create phishing emails that appear like mails from authentic enterprises or acquaintances. Such emails often encourage the receiver to click on to links in the mail that direct them to fake websites that look legal.
The end-user is then prompted to enter their account usernames, personal data, passwords, etc. Such data can often expose users to future attacks as well. Most of these websites have inbuilt nefarious code.
In a step further to the malicious activities, hackers have updated their TTPs to include smartphones. Now attacks are launched via direct phone calls or SMS. The CISA and the Federal Bureau of Investigation recently published a joint security advisory. The advisory highlighted the recent spate of vishing attacks that have plagued American organizations.
It is a part of the criminal phone fraud that combines personal phone calls with personalized phishing attacks. The hacker’s primary goal is to entice the victim to either manually input their details into the fraudulent website or reveal the identity credentials over the call. The fake website will generally duplicate an enterprise’s corporate email or the VPN portal.
The utilization of the particular TTP was boosted by the pandemic induced remote workforce. It led to an increased used of corporate virtual private networks and near-complete removal of in-person verification.
Steps to be taken against Vishing
Security leaders propose the following steps as effective measures against possible vishing attacks:
Restricting VPN connections
It is prudent to follow protocols like evaluating installed certificates or hardware, so that employee input alone is not sufficient to access the corporate VPN. User access of VPN outside of usual business hours can be restricted to prevent potential breach with stolen credentials.
Employee security awareness training
Organizations should implement vishing detection training as part of the comprehensive security awareness training. Such programs will encourage training teams to frequently augment the training content for accommodating the updated TTPs. Phishing simulations are also a good way to check the employee’s security awareness level and teach best practices.
CISOs propose increased utilization of multi-factor authentication, domain monitoring, and creating permission standards keeping in mind the motto of least privilege. Organizations can update their cyber resilience based on the hackers’ TTPs. Staying vigilant to emerging tactics is an encouraged practice across the cybersecurity industry.