Skip to content

OPLIN 4Cast #684: Vishing is the new phishing, and it’s way more effective

Posted in 4cast, and Security

The spelling of the word “phishing” was influenced by the earlier word “phreaking,” which described the hacking of telephone systems. And now the word evolves further, because “vishing,” voice phishing, is on the rise. Combining the tools of email phishing with the techniques of telephone scams, novice telecommuters are being tricked into giving up login credentials to their corporate networks.

  • Voice Phishers Targeting Corporate VPNs [Krebs on Security] “One increasingly brazen group of crooks is taking your standard phishing attack to the next level, marketing a voice phishing service that uses a combination of one-on-one phone calls and custom phishing sites to steal VPN credentials from employees.”
  • FBI and CISA warn of major wave of vishing attacks targeting teleworkers [ZDNet] “The actors used social engineering techniques and, in some cases, posed as members of the victim company’s IT help desk, using their knowledge of the employee’s personally identifiable information—including name, position, duration at company, and home address—to gain the trust of the targeted employee.”
  • The Attack That Broke Twitter Is Hitting Dozens of Companies [Wired] “The hackers’ phishing site that allows that spoofing, unlike the kind usually linked in a phishing email, is usually created only for that specific phone call and is taken down immediately after the hackers steal the victim’s credentials. The vanishing website and the lack of email evidence makes this sort of phone-based engineering often harder to detect than traditional phishing.”
  • Voice phishing attacks on the rise, CISA, FBI warn [Federal Computer Week] “Recommended mitigation techniques include restricting VPN use to managed devices, restricting log in periods, and monitoring suspicious new domains that could be used to impersonate a company’s internal help desk.”

From the Ohio Web Library:

Share