© Krissikunterbunt | Dreamstime
Cybercriminal

Cybercriminals Target Remote Workers

Sept. 15, 2020
FBI warns employers about new wrinkle to old scams.

Hackers have found a new way to invade corporate computer systems through the devices of employees who are working at home because of the Coronavirus pandemic. The threat is designed to exploit vulnerabilities created by increased use of corporate virtual private networks (VPNs) and elimination of in-person verification

The situation is so serious that the FBI and the U.S. Cybersecurity Infrastructure Security Agency (CISA) issued a Cybersecurity Advisory Alert that warns employers about the problem and offers timely advice about what are the best steps to take to prevent it from happening to them and how to deal with it when it occurs.

This isn’t the first time the federal government has warned employers about the vulnerabilities of remote work to cybercriminal attacks. The U.S. Secret Service issued a notice that cybercriminals are distributing mass e-mails posing as legitimate medical or health organizations. The FBI also has regularly issued warnings about ransomware attacks originating overseas, which often target hospitals around the country.

The hackers’ latest campaign began in mid-July and uses a technique called voice phishing, or vishing. “Cybercriminals started a vishing campaign—gaining access to employee tools at multiple companies with indiscriminate targeting—with the end goal of monetizing the access,” the federal agencies reported.

Vishing scams have evolved into coordinated and sophisticated campaigns aimed at obtaining a company’s confidential, proprietary and trade secret information through its VPN. The criminals have found a way to do so with the help of a company’s own employees.

“It is difficult to detect a security breach when it comes through your employees’ own keystrokes,” observe attorneys Kevin Cloutier and Mikela Sutrina of the law firm of Sheppard Mullin Richter & Hampton. “Using vished credentials, cybercriminals mined the victim company databases for their customers’ personal information to leverage in other attacks,” they explain. “The monetizing method varied depending on the company, but was highly aggressive with a tight timeline between the initial breach and the disruptive cash-out scheme.”

VPNs are widely used in the current telework environment and are intended to be a secure platform for remote employees to log into their company’s network from home. Many companies use VPNs because they not only provide secure remote connections, but also allow the company to monitor employees’ activity on the network and supposedly also allow detection of security breaches.

The hackers largely target vulnerable individuals via personal attacks, such as making a phone call seeking bank or credit card account information for a “compromised” account. In other cases, the calls pretend to be from the IRS to verify an individual’s Social Security number, or are targeted Medicare and Social Security scams, Cloutier and Sutrina point out.

How Scammers Do It

According to the strategy identified by the FBI and CISA, the cybercrime group identifies a company target and exhaustively researches its workforce. The attackers compile “dossiers” on employee victims based on a “scrape” of their virtual social media presence.

From an employee’s social media profiles, the attackers are able to learn the employee’s name, location, place of work, position, duration at the company and sometimes even the employee’s home address.

Next, the hackers register a domain and create phishing webpages duplicating a company’s internal VPN login page. These phishing webpages also have the capability to capture two-factor authentication or one-time passwords by mirroring the company’s own security protocols, the attorneys note.

Then, an attacker contacts an employee on his or her personal cellphone and poses as an internal IT professional or help desk employee with a security concern. The “visher” gains the trust of the employee by leveraging the information compiled on that employee in the research phase and convinces the employee that the scammer needs to login into a new VPN link in order to address a security issue or other IT need.

The attacker sends the unsuspecting employee a link to the fake VPN page, which looks just like the company’s own VPN login site. The employee inputs his or her username and password into the domain and clicks the login link. If applicable, the employee also completes the two-factor authentication or one-time password request.

“With a single click on the VPN link, the attacker has the employee’s entire suite of credentials,” Cloutier and Sutrina observe. Attackers use this access to mine the company’s databases, records and files to obtain information to leverage against the company for ransom or even for use in other cyberattacks.

As a result, the company’s confidential, proprietary and trade secret information is up for grabs, leading to substantial ransom costs, forensic fees and costs, employee and customer notice obligations, and creating potentially significant liability for security breaches.

Take Protective Measures

“With teleworking continuing into the foreseeable future, employers must think critically about their security protocols and take steps to prevent employees from unwittingly walking into a vishing (or other phishing) trap,” the attorneys warn.

The advice to employers given by the FBI and CISA includes:

● Restrict VPN connections to managed devices only, using mechanisms like hardware checks or installed certificates, so user input alone is not enough to access the corporate VPN.

● Restrict VPN access hours, where applicable, to mitigate access outside of customarily allowed times.

● Employ domain monitoring to track the creation of, or changes to, corporate brand-name domains.

● Actively scan and monitor Web applications to reveal unauthorized access, modification and anomalous activities.

● Employ the principle of “least privilege” and implement software restriction policies or other controls, monitoring authorized user accesses and usage.

● Potentially deploy a formalized authentication process for employee-to-employee communications made over the public telephone network where a second factor is used to authenticate the phone call before sensitive information can be discussed.

“Depending on the organization, not all of the advisory’s tips are feasible,” Cloutier and Sutrina admit. “But all companies should heed the agencies’ warning and continue to critically assess security protocols, VPNs and network access to protect their confidential, proprietary and trade secret information.”

Separately, companies should continue to engage and train employees about what is considered proper network usage, security concerns and when to call a secure IT number, they stress.

“Cybercriminals will continue to take advantage of remote employees. Companies should regularly remind employees to be suspicious of any request for their log-ins and credentials (or other personal information) and remind employees where to go and whom to contact if they have any security concerns.”

Sponsored Recommendations

ISO 45001: Occupational Health and Safety Management Systems (OHSMS)

March 28, 2024
ISO 45001 certification – reduce your organizational risk and promote occupational health and safety (OHS) by working with SGS to achieve certification or migrate to the new standard...

Want to Verify your GHG Emissions Inventory?

March 28, 2024
With the increased focus on climate change, measuring your organization’s carbon footprint is an important first action step. Our Green House Gas (GHG) verification services provide...

Download Free ESG White Paper

March 28, 2024
The Rise and Challenges of ESG – Your Journey to Enhanced Sustainability, Brand and Investor Potential

Work Safety Tips: 5 Tactics to Build Employee Engagement for Workplace Safety

March 13, 2024
Employee safety engagement strategies have become increasingly key to fostering a safer workplace environment. But, how exactly do you encourage employee buy-in when it comes ...

Voice your opinion!

To join the conversation, and become an exclusive member of EHS Today, create an account today!