Announcement

Collapse
No announcement yet.

FBI, CISA Echo Warnings On 'Vishing' Threat

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • FBI, CISA Echo Warnings On 'Vishing' Threat

    The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) on Thursday issued a joint alert to warn about the growing threat from voice phishing or "vishing" attacks targeting companies.

    The advisory came less than 24 hours after KrebsOnSecurity published an in-depth look at a crime group offering a service that people can hire to steal VPN credentials and other sensitive data from employees working remotely during the Coronavirus pandemic.

    The advisory includes a number of suggestions that companies can implement to help mitigate the threat from these vishing attacks, including:

    • Restrict VPN connections to managed devices only, using mechanisms like hardware checks or installed certificates, so user input alone is not enough to access the corporate VPN.

    • Restrict VPN access hours, where applicable, to mitigate access outside of allowed times.

    • Employ domain monitoring to track the creation of, or changes to, corporate, brand-name domains.

    • Actively scan and monitor web applications for unauthorized access, modification, and anomalous activities.

    • Employ the principle of least privilege and implement software restriction policies or other controls; monitor authorized user accesses and usage.

    • Consider using a formalized authentication process for employee-to-employee communications made over the public telephone network where a second factor is used to
    authenticate the phone call before sensitive information can be discussed.

    • Improve 2FA and OTP messaging to reduce confusion about employee authentication attempts.

    • Verify web links do not have misspellings or contain the wrong domain.

    • Bookmark the correct corporate VPN URL and do not visit alternative URLs on the sole basis of an inbound phone call.

    • Be suspicious of unsolicited phone calls, visits, or email messages from unknown individuals claiming to be from a legitimate organization. Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information. If possible, try to verify the caller’s identity directly with the company.

    • If you receive a vishing call, document the phone number of the caller as well as the domain that the actor tried to send you to and relay this information to law enforcement.

    • Limit the amount of personal information you post on social networking sites. The internet is a public resource; only post information you are comfortable with anyone seeing.

    • Evaluate your settings: sites may change their options periodically, so review your security and privacy settings regularly to make sure that your choices are still appropriate.

    https://krebsonsecurity.com/wp-conte...sa-vishing.pdf

    https://krebsonsecurity.com/2020/08/...ishing-threat/
    Last edited by dlevere; 08-23-2020, 06:26:08 AM.
    The Hackmaster
Working...
X