Brian Krebs wrote: "The COVID-19 epidemic has brought a wave of email phishing attacks that try to trick work-at-home employees into giving away credentials needed to remotely access their employers’ networks.
But one increasingly brazen group of crooks is taking your standard phishing attack to the next level, marketing a voice phishing service that uses a combination of one-on-one phone calls and custom phishing sites to steal VPN credentials from employees.
According to interviews with several sources, this hybrid phishing gang has a remarkably high success rate, and operates primarily through paid requests or “bounties,” where customers seeking access to specific companies or accounts can hire them to target employees working remotely at home.
And over the past six months, the criminals responsible have created dozens if not hundreds of phishing pages targeting some of the world’s biggest corporations. For now at least, they appear to be focusing primarily on companies in the financial, telecommunications and social media industries.
“For a number of reasons, this kind of attack is really effective,” said Allison Nixon, chief research officer at New York-based cyber investigations firm Unit 221B. “Because of the Coronavirus, we have all these major corporations that previously had entire warehouses full of people who are now working remotely. As a result the attack surface has just exploded.”
If you want to test your employees and inoculate them against attacks like this, we have a vishing social engineering test ready for you to roll out. For vishing we even have international numbers and the countries we have numbers for are listed here if you scroll down a bit. You should ask for a demo and get your rep to demo this feature to you.
https://support.knowbe4.com/hc/en-us/articles/227567968-Vishing
Story continued at Krebs For Security:
https://krebsonsecurity.com/2020/08/voice-phishers-targeting-corporate-vpns/
