Malicious actors are preying on employees in the US by impersonating the VPN providers used by their companies.
The GuidePoint Research and Intelligence Team (GRIT) has identified an ongoing phishing campaign crafted for English speakers that has already targeted over 130 companies and organizations in the US.
According to researchers, this threat actor has registered domain names that resemble the VPN providers used by the targeted organizations since June 26th, 2024.
The threat actor often calls individuals on their cell phones, pretending to be from the help desk or IT team and claiming that they’re resolving a VPN login issue. If the social engineering attempt works, the threat actor sends the user an SMS link that leads to a fake site posing as the company’s VPN.
The threat actor has also set up custom VPN login pages for each of the targeted organizations. The domain names associated with this campaign are as follows:
- ciscoweblink.com
- ciscolinkweb.com
- ciscolinkacc.com
- ciscoacclink.com
- linkciscoweb.com
- fortivpnlink.com
- vpnpaloalto.com
- linkwebcisco.com
These pages closely mimic the legitimate ones from each organization, including the available VPN groups. However, in some cases, the threat actor has added VPN groups like "TestVPN" and "RemoteVPN" to the drop-down menu on the fake login page, likely as a tactic in the social engineering attack.
Through these fake login pages, the threat actor collects the user's username, password, and token, even if multifactor authentication (MFA) is in place.
If the MFA uses a push method, the threat actor instructs the user to approve the push notification during the social engineering call. In the final step, the user is redirected to the legitimate VPN address of the targeted organization and may be asked to log in again, reinforcing the illusion that the issue has been resolved.
Once the threat actor gains VPN access to the network, they immediately begin scanning it to identify targets for lateral movement, persistence, and further privilege escalation.
“The type of social engineering used in this campaign is particularly hard to detect given that it normally happens outside of the traditional visibility of security tools, such as via direct calls to user’s cell phones and the use of SMS/text messaging,” writes GRIT.
“Unless users report receiving these types of calls or messages, the security teams might not even be aware of the attack. The threat actor can also target multiple users via this method until they successfully get a user that is susceptible to this type of attack.”
Users who might have been affected by the phishing attack are urged to check their logs for suspicious activity from VPN-assigned IP addresses within the past 30 days. If any signs of successful compromise are identified, users should immediately declare an incident and perform a thorough investigation with the security team.
Your email address will not be published. Required fields are markedmarked