The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) released a joint statement warning companies of a surge in voice phishing or vishing campaigns targeting corporate virtual private networks (VPNs).

The COVID-19 pandemic has resulted in a mass shift to working from home, resulting in increased use of corporate virtual private networks (VPNs) and elimination of in-person verification. The CISA and FBI pointed to one example from where a vishing campaign allowed cybercriminals to gain access to employee tools at multiple companies with indiscriminate targeting—with the end goal of monetizing the access.

The cybercriminals used vished credentials and mined the victim company databases for their customers’ personal information to leverage in other attacks. According to the release, the monetizing method has varied thus far depending on the company but has been highly aggressive with tight timelines between an initial breach and the cashout scheme.

The statement said, “The initial steps of this vishing campaign followed a common thread. Actors registered domains and created phishing pages duplicating a company’s internal VPN login page, also capturing two-factor authentication (2FA) or one-time passwords (OTP). Actors also obtained Secure Sockets Layer (SSL) certificates for the domains they registered and used a variety of domain naming schemes.”

The FBI recommends a number of risk mitigation strategies for companies, including restricting VPN connections to managed devices only, using mechanisms like hardware checks or installed certificates, so user input alone is not enough to access the corporate VPN; restricting VPN access hours to mitigate access outside of allowed times; improving two-factor authentication (2FA) and OTP messaging to reduce confusion about employee authentication attempts; and more.