A social-engineering campaign targeting more than 130 U.S. companies aims to trick employees into thinking that there’s a VPN issue that needs fixing but instead are sent to a fake VPN page loaded with malware.
Researchers at the GuidePoint Research and Intelligence Team (GRIT) explained in an Aug. 27 blog post that the bad actor starts by calling a user on their cell phone and introduces themselves as a member of the help desk looking to fix a VPN log-in issue.
If the threat actor succeeds in tricking the user on the phone, he or she then sends the user a link via SMS that points them to a malicious site that in reality is a fake VPN site pretending to be a legit vendor.
Since June 26, the threat actor registered domain names that resemble the VPN technologies used by the targeted companies, the GRIT researchers noted in their post and listed domains that led users to what appeared to be mainstream VPN brands, such as Cisco and Palo Alto Networks.
Social-engineering techniques hard for security teams to detect
“The type of social engineering used in this campaign is particularly hard to detect given that it normally happens outside of the traditional visibility of security tools, such as via direct calls to user’s cell phones and the use of SMS/text messaging,” wrote the GRIT researchers. “Unless users report receiving these types of calls or messages, the security teams might not even be aware of the attack. The threat actor can also target multiple users via this method until they successfully get a user that is susceptible to this type of attack.”
Patrick Harr, chief executive officer at SlashNext Email Security, said it was unfortunate that such creative attacks continue to prey unsuspecting users.
Using typosquatting domains — those that are very similar to the actual real VPN domain — is not a new tactic, said Harr, but noted that what’s more creative is the use of messaging channels outside of email.
“SMS is now the second most attacked vector and mobile phones have minimal to no protection, so that’s why threat actors are creatively attacking them with greater volume,” said Harr. “Training is no longer effective against these attacks alone. That’s why it’s imperative that organizations must employ AI-based anti-phishing in SMS and other messaging apps locally on the phone to pre-emptively thwart these attacks before they compromise employees.”
John Bambenek, president at Bambenek Consulting added that while the technique of phishing users by using third-party brands is not new, the use of VPNs is novel — and much more dangerous.
“This lets the attacker get unencrypted data by placing themselves as a trusted intermediary, especially if they can get a malicious CA installed on the device,” said Bambenek. “It’s explicitly targeting a weak link, BYOD and employees individual devices, knowing full well that enterprise tools won’t detect this.”