Dozens of banks, cryptocurrency exchanges, and web hosting firms have experienced vishing attacks aimed at eventually stealing cryptocurrency from high net-worth customers.
This attack sounds very much like the recent Twitter vishing attack that left many high-profile Twitter accounts in the control of cybercriminals – albeit for a short period of time. But this one comes with a twist. In the Twitter attack, the accounts of high-profile individuals such as Elon Musk and Joe Biden were compromised using vishing. But in this most recent case, vishing attacks are being used in a much longer-tailed campaign with customers of the initially compromised organizations as the final target.
The attackers create detailed intelligence on their victim organizations via LinkedIn and other online service to create org charts. They then targeted individuals that are new to the company, posing as IT staff to trick them out of their passwords to internal systems. The eventual goal appears to be identifying customers of those compromised organizations that have a high net-worth in order to launch a second phase of the attacks where those customers are attacks – likely posing as the initial victim organization – to gain access to their crypto currency accounts.
It’s a material amount of time invested, but the potential payoff could be huge. And it all starts with some simple social engineering over the phone – “Hi! This is Stu from IT!”
Organizations can easily thwart these vishing attacks with Security Awareness Training. Users that are educated to be watching for any interactions via email, web, or phone that are out of the ordinary (You call IT; they never call you!), will be suspicious of such interactions and not fall for them. Cutting off an attack at this step renders the rest of the attack useless.