© Krissikunterbunt | Dreamstime
Cybercriminal 5f602d67c1399

Cybercriminals Target Remote Workers

Sept. 15, 2020
FBI warns employers about new wrinkle to old scams.

Hackers have found a new way to invade corporate computer systems through the devices of employees who are working at home because of the Coronavirus pandemic. The threat is designed to exploit vulnerabilities created by increased use of corporate virtual private networks (VPNs) and elimination of in-person verification

The situation is so serious that the FBI and the U.S. Cybersecurity Infrastructure Security Agency (CISA) issued a Cybersecurity Advisory Alert that warns employers about the problem and offers timely advice about what are the best steps to take to prevent it from happening to them and how to deal with it when it occurs.

This isn’t the first time the federal government has warned employers about the vulnerabilities of remote work to cybercriminal attacks. The U.S. Secret Service issued a notice that cybercriminals are distributing mass e-mails posing as legitimate medical or health organizations. The FBI also has regularly issued warnings about ransomware attacks originating overseas, which often target hospitals around the country.

The hackers’ latest campaign began in mid-July and uses a technique called voice phishing, or vishing. “Cybercriminals started a vishing campaign—gaining access to employee tools at multiple companies with indiscriminate targeting—with the end goal of monetizing the access,” the federal agencies reported.

Vishing scams have evolved into coordinated and sophisticated campaigns aimed at obtaining a company’s confidential, proprietary and trade secret information through its VPN. The criminals have found a way to do so with the help of a company’s own employees.

“It is difficult to detect a security breach when it comes through your employees’ own keystrokes,” observe attorneys Kevin Cloutier and Mikela Sutrina of the law firm of Sheppard Mullin Richter & Hampton. “Using vished credentials, cybercriminals mined the victim company databases for their customers’ personal information to leverage in other attacks,” they explain. “The monetizing method varied depending on the company, but was highly aggressive with a tight timeline between the initial breach and the disruptive cash-out scheme.”

VPNs are widely used in the current telework environment and are intended to be a secure platform for remote employees to log into their company’s network from home. Many companies use VPNs because they not only provide secure remote connections, but also allow the company to monitor employees’ activity on the network and supposedly also allow detection of security breaches.

The hackers largely target vulnerable individuals via personal attacks, such as making a phone call seeking bank or credit card account information for a “compromised” account. In other cases, the calls pretend to be from the IRS to verify an individual’s Social Security number, or are targeted Medicare and Social Security scams, Cloutier and Sutrina point out.

How Scammers Do It

According to the strategy identified by the FBI and CISA, the cybercrime group identifies a company target and exhaustively researches its workforce. The attackers compile “dossiers” on employee victims based on a “scrape” of their virtual social media presence.

From an employee’s social media profiles, the attackers are able to learn the employee’s name, location, place of work, position, duration at the company and sometimes even the employee’s home address.

Next, the hackers register a domain and create phishing webpages duplicating a company’s internal VPN login page. These phishing webpages also have the capability to capture two-factor authentication or one-time passwords by mirroring the company’s own security protocols, the attorneys note.

Then, an attacker contacts an employee on his or her personal cellphone and poses as an internal IT professional or help desk employee with a security concern. The “visher” gains the trust of the employee by leveraging the information compiled on that employee in the research phase and convinces the employee that the scammer needs to login into a new VPN link in order to address a security issue or other IT need.

The attacker sends the unsuspecting employee a link to the fake VPN page, which looks just like the company’s own VPN login site. The employee inputs his or her username and password into the domain and clicks the login link. If applicable, the employee also completes the two-factor authentication or one-time password request.

“With a single click on the VPN link, the attacker has the employee’s entire suite of credentials,” Cloutier and Sutrina observe. Attackers use this access to mine the company’s databases, records and files to obtain information to leverage against the company for ransom or even for use in other cyberattacks.

As a result, the company’s confidential, proprietary and trade secret information is up for grabs, leading to substantial ransom costs, forensic fees and costs, employee and customer notice obligations, and creating potentially significant liability for security breaches.

Take Protective Measures

“With teleworking continuing into the foreseeable future, employers must think critically about their security protocols and take steps to prevent employees from unwittingly walking into a vishing (or other phishing) trap,” the attorneys warn.

The advice to employers given by the FBI and CISA includes:

● Restrict VPN connections to managed devices only, using mechanisms like hardware checks or installed certificates, so user input alone is not enough to access the corporate VPN.

● Restrict VPN access hours, where applicable, to mitigate access outside of customarily allowed times.

● Employ domain monitoring to track the creation of, or changes to, corporate brand-name domains.

● Actively scan and monitor Web applications to reveal unauthorized access, modification and anomalous activities.

● Employ the principle of “least privilege” and implement software restriction policies or other controls, monitoring authorized user accesses and usage.

● Potentially deploy a formalized authentication process for employee-to-employee communications made over the public telephone network where a second factor is used to authenticate the phone call before sensitive information can be discussed.

“Depending on the organization, not all of the advisory’s tips are feasible,” Cloutier and Sutrina admit. “But all companies should heed the agencies’ warning and continue to critically assess security protocols, VPNs and network access to protect their confidential, proprietary and trade secret information.”

Separately, companies should continue to engage and train employees about what is considered proper network usage, security concerns and when to call a secure IT number, they stress.

“Cybercriminals will continue to take advantage of remote employees. Companies should regularly remind employees to be suspicious of any request for their log-ins and credentials (or other personal information) and remind employees where to go and whom to contact if they have any security concerns.”

About the Author

David Sparkman

David Sparkman is founding editor of ACWI Advance (www.acwi.org), the newsletter of the American Chain of Warehouses Inc. He also heads David Sparkman Consulting, a Washington D.C. area public relations and communications firm. Prior to these he was director of industry relations for the International Warehouse Logistics Association. Sparkman has also been a freelance writer, specializing in logistics and freight transportation. He has served as vice president of communications for the American Moving and Storage Association, director of communications for the National Private Truck Council, and for two decades with American Trucking Associations on its weekly newspaper, Transport Topics.

Sponsored Recommendations

Avetta Named a Leader in The Verdantix Green Quadrant: Supply Chain Sustainability Software 2024

Nov. 26, 2024
Avetta was named a leader by Verdantix in a 2024 sustainability software report for our ability to help clients and suppliers build sustainable supply chains.

Avetta is a Leader in Supply Chain Sustainability Software

Nov. 26, 2024
Verdantix has named Avetta a leader in its 2024 Green Quadrant for Supply Chain Sustainability Software. Download the report for independent insights into market trends and top...

The Power of Benchmarking in Procurement: Driving Success and Strategic Planning

Nov. 26, 2024
Explore the strategic impact of benchmarking in procurement to drive success and plan effectively.

What We Can Learn From OSHA's 2024 Top 10 Safety Violations

Nov. 26, 2024
Learn what OSHA’s 2024 top 10 incident list reveals about the limitations of compliance and the need for proactive, continual safety improvement.

Voice your opinion!

To join the conversation, and become an exclusive member of EHS Today, create an account today!