This article from Krebs on Security demonstrates how hackers penetrate financial and other corporate networks by tricking employees into divulging all the security protections you have layered over your site. These criminals pose as new employees in IT and ask for everything they need—and they often get it.
The hackers are able to seem like credible employees by having fake social network connections, as with LinkedIn, to other employees and fake internal IT web sites that they ask the employee to log into. The article includes images of these fake web sites mimicking Bank of America, Verizon, Github, and AT&T. These fake web sites are designed to ask for OTP permissions so those permissions can be re-used to access your actual employee portal.
Here’s more coverage from the article:
“ ‘They’ll say ‘Hey, I’m new to the company, but you can check me out on LinkedIn’ or Microsoft Teams or Slack, or whatever platform the company uses for internal communications,’ Allen said. ‘There tends to be a lot of pretext in these conversations around the communications and work-from-home applications that companies are using. But eventually, they tell the employee they have to fix their VPN and can they please log into this website.’
The domains used for these pages often invoke the company’s name, followed or preceded by hyphenated terms such as “vpn,” “ticket,” “employee,” or “portal.” The phishing sites also may include working links to the organization’s other internal online resources to make the scheme seem more believable if a target starts hovering over links on the page.
Allen said a typical voice phishing or “vishing” attack by this group involves at least two perpetrators: One who is social engineering the target over the phone, and another co-conspirator who takes any credentials entered at the phishing page and quickly uses them to log in to the target company’s VPN platform in real-time.
Time is of the essence in these attacks because many companies that rely on VPNs for remote employee access also require employees to supply some type of multi-factor authentication in addition to a username and password — such as a one-time numeric code generated by a mobile app or text message. And in many cases, those codes are only good for a short duration — often measured in seconds or minutes.
But these vishers can easily sidestep that layer of protection, because their phishing pages simply request the one-time code as well.
Allen said it matters little to the attackers if the first few social engineering attempts fail. Most targeted employees are working from home or can be reached on a mobile device. If at first the attackers don’t succeed, they simply try again with a different employee.
And with each passing attempt, the phishers can glean important details from employees about the target’s operations, such as company-specific lingo used to describe its various online assets, or its corporate hierarchy.
Thus, each unsuccessful attempt actually teaches the fraudsters how to refine their social engineering approach with the next mark within the targeted organization, Nixon said.
‘These guys are calling companies over and over, trying to learn how the corporation works from the inside,’ she said.”
Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group