We continue to alert our readers to the uptick and successful use of vishing attacks against companies. Threat actors continue to be creative in developing strategies to use vishing to gain access into systems.
According to Cyberscoop, (a publication that I read religiously), Mandiant has confirmed that “multiple cybercrime groups,” including ShinyHunters, are “combining voice calls and advanced phishing kits to trick victims into handing over access” to company systems. The scary thing about this new wave of vishing attacks is that threat actors are using sophisticated vishing campaigns to compromise single sign on (SSO) credentials, then “enroll threat actor controlled devices into victim multifactor authentication solutions.” This effectively bypasses well-known security tools used by companies to prevent unauthorized access into their systems.
Once threat actors gain access, they move into the company’s SaaS environment to exfiltrate data and then launch extortion campaigns. In addition,
Cybercriminals are registering custom domains that mimic legitimate single sign-on portals used by targeted companies, then deploying tailored voice-phishing kits to call victims while remotely controlling which pages appear in the victim’s browser. This lets the attackers sync their spoken prompts with multifactor-authentication requests in real time, increasing the likelihood the victim approves or enters the needed codes on cue.
In response to these attacks, Okta released threat intelligence confirming that it has seen “multiple phishing kits developed” to use with other SSO and cryptocurrency providers. To be clear, this is not a vulnerability with the SSO products, but a scary way for threat actors to dupe users into providing credentials.
Due to the success of these new vishing campaigns using SSO, now is the time to remind your users about vishing, how it works, the newest ways threat actors are trying to get users to provide their credentials, and how SSO can give the threat actors the keys to the kingdom.