Voice Phishers Targeting Corporate VPNs

The COVID-19 epidemic has brought a wave of email phishing attacks that try to trick work-at-home employees into giving away credentials needed to remotely access their employers’ networks. But one increasingly brazen group of crooks is taking your standard phishing attack to the next level, marketing a voice phishing service that uses a combination of one-on-one phone calls and custom phishing sites to steal VPN credentials from employees.

According to interviews with several sources, this hybrid phishing gang has a remarkably high success rate, and operates primarily through paid requests or “bounties,” where customers seeking access to specific companies or accounts can hire them to target employees working remotely at home.

And over the past six months, the criminals responsible have created dozens if not hundreds of phishing pages targeting some of the world’s biggest corporations. For now at least, they appear to be focusing primarily on companies in the financial, telecommunications and social media industries.

“For a number of reasons, this kind of attack is really effective,” said Allison Nixon, chief research officer at New York-based cyber investigations firm Unit 221B. “Because of the Coronavirus, we have all these major corporations that previously had entire warehouses full of people who are now working remotely. As a result the attack surface has just exploded.”


A typical engagement begins with a series of phone calls to employees working remotely at a targeted organization. The phishers will explain that they’re calling from the employer’s IT department to help troubleshoot issues with the company’s virtual private networking (VPN) technology.

The employee phishing page bofaticket[.]com. Image: urlscan.io

The goal is to convince the target either to divulge their credentials over the phone or to input them manually at a website set up by the attackers that mimics the organization’s corporate email or VPN portal.

Zack Allen is director of threat intelligence for ZeroFOX, a Baltimore-based company that helps customers detect and respond to risks found on social media and other digital channels. Allen has been working with Nixon and several dozen other researchers from various security firms to monitor the activities of this prolific phishing gang in a bid to disrupt their operations.

Allen said the attackers tend to focus on phishing new hires at targeted companies, and will often pose as new employees themselves working in the company’s IT division. To make that claim more believable, the phishers will create LinkedIn profiles and seek to connect those profiles with other employees from that same organization to support the illusion that the phony profile actually belongs to someone inside the targeted firm.

“They’ll say ‘Hey, I’m new to the company, but you can check me out on LinkedIn’ or Microsoft Teams or Slack, or whatever platform the company uses for internal communications,” Allen said. “There tends to be a lot of pretext in these conversations around the communications and work-from-home applications that companies are using. But eventually, they tell the employee they have to fix their VPN and can they please log into this website.”


The domains used for these pages often invoke the company’s name, followed or preceded by hyphenated terms such as “vpn,” “ticket,” “employee,” or “portal.” The phishing sites also may include working links to the organization’s other internal online resources to make the scheme seem more believable if a target starts hovering over links on the page.

Allen said a typical voice phishing or “vishing” attack by this group involves at least two perpetrators: One who is social engineering the target over the phone, and another co-conspirator who takes any credentials entered at the phishing page and quickly uses them to log in to the target company’s VPN platform in real-time.

Time is of the essence in these attacks because many companies that rely on VPNs for remote employee access also require employees to supply some type of multi-factor authentication in addition to a username and password — such as a one-time numeric code generated by a mobile app or text message. And in many cases, those codes are only good for a short duration — often measured in seconds or minutes.

But these vishers can easily sidestep that layer of protection, because their phishing pages simply request the one-time code as well.

A phishing page (helpdesk-att[.]com) targeting AT&T employees. Image: urlscan.io

Allen said it matters little to the attackers if the first few social engineering attempts fail. Most targeted employees are working from home or can be reached on a mobile device. If at first the attackers don’t succeed, they simply try again with a different employee.

And with each passing attempt, the phishers can glean important details from employees about the target’s operations, such as company-specific lingo used to describe its various online assets, or its corporate hierarchy.

Thus, each unsuccessful attempt actually teaches the fraudsters how to refine their social engineering approach with the next mark within the targeted organization, Nixon said.

“These guys are calling companies over and over, trying to learn how the corporation works from the inside,” she said.


All of the security researchers interviewed for this story said the phishing gang is pseudonymously registering their domains at just a handful of domain registrars that accept bitcoin, and that the crooks typically create just one domain per registrar account.

“They’ll do this because that way if one domain gets burned or taken down, they won’t lose the rest of their domains,” Allen said.

More importantly, the attackers are careful to do nothing with the phishing domain until they are ready to initiate a vishing call to a potential victim. And when the attack or call is complete, they disable the website tied to the domain.

This is key because many domain registrars will only respond to external requests to take down a phishing website if the site is live at the time of the abuse complaint. This requirement can stymie efforts by companies like ZeroFOX that focus on identifying newly-registered phishing domains before they can be used for fraud.

“They’ll only boot up the website and have it respond at the time of the attack,” Allen said. “And it’s super frustrating because if you file an abuse ticket with the registrar and say, ‘Please take this domain away because we’re 100 percent confident this site is going to be used for badness,’ they won’t do that if they don’t see an active attack going on. They’ll respond that according to their policies, the domain has to be a live phishing site for them to take it down. And these bad actors know that, and they’re exploiting that policy very effectively.”

A phishing page (github-ticket[.]com) aimed at siphoning credentials for a target organization’s access to the software development platform Github. Image: urlscan.io


Both Nixon and Allen said the object of these phishing attacks seems to be to gain access to as many internal company tools as possible, and to use those tools to seize control over digital assets that can quickly be turned into cash. Primarily, that includes any social media and email accounts, as well as associated financial instruments such as bank accounts and any cryptocurrencies.

Nixon said she and others in her research group believe the people behind these sophisticated vishing campaigns hail from a community of young men who have spent years learning how to social engineer employees at mobile phone companies and social media firms into giving up access to internal company tools.

Traditionally, the goal of these attacks has been gaining control over highly-prized social media accounts, which can sometimes fetch thousands of dollars when resold in the cybercrime underground. But this activity gradually has evolved toward more direct and aggressive monetization of such access.

On July 15, a number of high-profile Twitter accounts were used to tweet out a bitcoin scam that earned more than $100,000 in a few hours. According to Twitter, that attack succeeded because the perpetrators were able to social engineer several Twitter employees over the phone into giving away access to internal Twitter tools.

Nixon said it’s not clear whether any of the people involved in the Twitter compromise are associated with this vishing gang, but she noted that the group showed no signs of slacking off after federal authorities charged several people with taking part in the Twitter hack.

“A lot of people just shut their brains off when they hear the latest big hack wasn’t done by hackers in North Korea or Russia but instead some teenagers in the United States,” Nixon said. “When people hear it’s just teenagers involved, they tend to discount it. But the kinds of people responsible for these voice phishing attacks have now been doing this for several years. And unfortunately, they’ve gotten pretty advanced, and their operational security is much better now.”

A phishing page (vzw-employee[.]com) targeting employees of Verizon. Image: DomainTools


While it may seem amateurish or myopic for attackers who gain access to a Fortune 100 company’s internal systems to focus mainly on stealing bitcoin and social media accounts, that access — once established — can be re-used and re-sold to others in a variety of ways.

“These guys do intrusion work for hire, and will accept money for any purpose,” Nixon said. “This stuff can very quickly branch out to other purposes for hacking.”

For example, Allen said he suspects that once inside of a target company’s VPN, the attackers may try to add a new mobile device or phone number to the phished employee’s account as a way to generate additional one-time codes for future access by the phishers themselves or anyone else willing to pay for that access.

Nixon and Allen said the activities of this vishing gang have drawn the attention of U.S. federal authorities, who are growing concerned over indications that those responsible are starting to expand their operations to include criminal organizations overseas.

“What we see now is this group is really good on the intrusion part, and really weak on the cashout part,” Nixon said. “But they are learning how to maximize the gains from their activities. That’s going to require interactions with foreign gangs and learning how to do proper adult money laundering, and we’re already seeing signs that they’re growing up very quickly now.”


Many companies now make security awareness and training an integral part of their operations. Some firms even periodically send test phishing messages to their employees to gauge their awareness levels, and then require employees who miss the mark to undergo additional training.

Such precautions, while important and potentially helpful, may do little to combat these phone-based phishing attacks that tend to target new employees. Both Allen and Nixon — as well as others interviewed for this story who asked not to be named — said the weakest link in most corporate VPN security setups these days is the method relied upon for multi-factor authentication.

A U2F device made by Yubikey, plugged into the USB port on a computer.

One multi-factor option — physical security keys — appears to be immune to these sophisticated scams. The most commonly used security keys are inexpensive USB-based devices. A security key implements a form of multi-factor authentication known as Universal 2nd Factor (U2F), which allows the user to complete the login process simply by inserting the USB device and pressing a button on the device. The key works without the need for any special software drivers.

The allure of U2F devices for multi-factor authentication is that even if an employee who has enrolled a security key for authentication tries to log in at an impostor site, the company’s systems simply refuse to request the security key if the user isn’t on their employer’s legitimate website, and the login attempt fails. Thus, the second factor cannot be phished, either over the phone or Internet.

In July 2018, Google disclosed that it had not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical security keys in place of one-time codes.

Probably the most popular maker of security keys is Yubico, which sells a basic U2F Yubikey for $20. It offers regular USB versions as well as those made for devices that require USB-C connections, such as Apple’s newer Mac OS systems. Yubico also sells more expensive keys designed to work with mobile devices. [Full disclosure: Yubico was recently an advertiser on this site].

Nixon said many companies will likely balk at the price tag associated with equipping each employee with a physical security key. But she said as long as most employees continue to work remotely, this is probably a wise investment given the scale and aggressiveness of these voice phishing campaigns.

“The truth is some companies are in a lot of pain right now, and they’re having to put out fires while attackers are setting new fires,” she said. “Fixing this problem is not going to be simple, easy or cheap. And there are risks involved if you somehow screw up a bunch of employees accessing the VPN. But apparently these threat actors really hate Yubikey right now.”

New infosec products of the week: April 17, 2020

NeuVector adds to container security platform, automates end-to-end vulnerability management

The platform additions include the new Vulnerability and Compliance Explorer for quickly investigating, prioritizing, reporting, and mitigating potentially damaging vulnerability and compliance issues. High performance large-registry scanning and enhanced host (node) security processes have also been added.

infosec products April 2020

Corsa Security Orchestrator: Intelligent orchestration and management of virtual NGFW arrays

Corsa Security Orchestrator offers a single-pane-of-glass view, enabling network security professionals to quickly and easily add more firewall capacity as their traffic inspection needs grow, without having to configure multiple elements.

infosec products April 2020

ZeroFOX’s AI-powered platform now includes security for Zoom and Slack

ZeroFOX Enterprise Remote Workforce Protection offers advanced threat protection for both Zoom and Slack, cloud-based applications required by organizations in today’s work from home world. Advanced Security for Zoom ensures the organization has secure video conferencing and collaboration, free from Zoombombing and other security issues. Advanced Security for Slack automates how organizations establish compliance and inline protection within the team collaboration application.

infosec products April 2020

Entrust Datacard unveils a single portal to discover, control and automate certificate management

The Entrust Datacard Certificate Hub allows customers to find, control and automate their public and private certificate deployments via a single pane of glass. Organizations using Entrust Datacard Certificate Hub gain visibility and management across their Entrust Datacard private and publicly trusted CAs, as well as Microsoft CAs.

infosec products April 2020

SentinelOne launches new customizable dashboards and reporting capabilities

SentinelOne announced new customizable dashboards and reporting capabilities making SentinelOne the center of enterprise security operations. The new capabilities enable organizations to extract maximum value from security data and provide unprecedented context into the state of security operations as well as the ROI on their SentinelOne investment.

infosec products April 2020

ZeroFOX’s AI-powered platform now includes security for Zoom and Slack

ZeroFOX has extended its artificial intelligence (AI) powered platform to now include advanced cyberattack protection capabilities for business collaboration platforms.

ZeroFOX Enterprise Remote Workforce Protection

ZeroFOX Enterprise Remote Workforce Protection offers advanced threat protection for both Zoom and Slack, cloud-based applications required by organizations in today’s work from home world.

As adoption of these remote work platforms has exploded, emerging threats have developed to capitalize on that adoption. Zoom, in particular, has been the target of many such attacks. The ZeroFOX Alpha Team uncovered thousands of cracked Zoom accounts for sale on a single hacking forum and entire websites dedicated to sharing insecure Zoom call IDs.

Although Zoom has recently released updates focused on security and privacy, attackers are still able to easily target organizations and their employees through a variety of attacks that abuse the platform. It is critical to safeguard private information and users that leverage these collaboration platforms to do their jobs on a daily basis.

Remote work and business collaboration platforms like Zoom and Slack are rapidly expanding the publicly accessible attack surface of every organization. Organizations using these digital platforms require visibility and protection to identify risks like sensitive information leakage, malicious links and file sharing, and compliance violations.

To help organizations immediately address these issues, ZeroFOX is offering complimentary Zoom and Slack protection during this unprecedented time.

“Continuing a quick pace of innovation and maintaining world-class protection during this pandemic for the benefit of our customers is our priority,” said James C. Foster, CEO of ZeroFOX.

“We have seen a 189% increase in phishing-related attacks over the past six months and unsuspecting employees are the number one target of phishing attacks. We know that modern organizations rely heavily on Zoom and Slack to support operations while most employees are working from home today due to COVID-19. “We are proud to offer our customers complimentary access to our advanced security protection for Zoom and Slack.”

The ZeroFOX Enterprise Remote Workforce Protection solution provides customers the ability to secure and gain visibility into threats targeting collaboration platforms that traditional cybersecurity tools miss.

  • Advanced Security for Zoom ensures the organization has secure video conferencing and collaboration, free from Zoombombing and other security issues recently experienced by many organizations. The solution will ensure secure password-enabled meetings, identify malicious and fraudulent Zoom links, and protect credentials on Zoom. In addition, the solution enables organizations to identify and take down fraudulent Zoom meetings and links pretending to be your brand or people to interact with customers, partners, or employees.
  • Advanced Security for Slack automates how organizations establish compliance and inline protection within the team collaboration application. With turnkey set-up, the organization will receive real-time notifications and automated remediation for inappropriate content, malicious links and files, and sensitive data shared on Slack channels. Advanced threat protection is the cornerstone for establishing good work from home (WFH) compliance policies and protecting companies from potential exposures.

ZeroFOX is offering a 15-day trial to help organizations protect their employees, customers and partners on Zoom and Slack. Organizations that rely on these business collaboration platforms to enable employees to complete work in a WFH world can activate and immediately secure these channels.

New infosec products of the week: February 14, 2020

RSA Archer SaaS: An integrated approach to managing risk

RSA Archer SaaS can help reduce the time and resources dedicated to on-premise platform upgrades, patches, and maintenance activities, as well as enable customers to focus on maturing and expanding their integrated risk management programs.

infosec products February 2020

Farsight Security enhances its Security Information Exchange data-sharing platform

Farsight Security announced enhancements to its Security Information Exchange data-sharing platform to help security professionals measurably improve the prevention, detection and response of the latest cyberattacks.

infosec products February 2020

Tufin SecureCloud: Providing unified security policy management for the hybrid cloud

Tufin SecureCloud is a security policy automation service for enterprises needing to gain visibility and control of the security posture of their cloud-native and hybrid cloud environments.

infosec products February 2020

ZeroFOX launches AI-powered Advanced Email Protection for Google and Microsoft platforms

The ZeroFOX Advanced Email Protection suite includes capabilities that address Business Email Compromise Protection for Google’s G Suite and Microsoft’s Office 365 platforms, which identifies impersonation-based attacks targeting employees.

infosec products February 2020

Devo Security Operations: Transforming the SOC and scaling security analyst effectiveness

Devo Security Operations is the first security operations solution to combine critical security capabilities together with auto enrichment, threat intelligence community collaboration, a central evidence locker, and a streamlined analyst workflow.

infosec products February 2020

esCLOUD extends managed detection and response to cloud platforms

esCLOUD constantly monitors customer cloud environments to detect improper configurations and vulnerabilities that could lead to data loss and compromise. Automated policy enforcement, combined with response and remediation from eSentire’s expert security analysts, ensures that customers can operate in the cloud with confidence.

infosec products February 2020

ZeroFOX launches AI-powered Advanced Email Protection for Google and Microsoft platforms

ZeroFOX, the leading provider of public attack surface protection, announced it has extended its artificial intelligence (AI) powered platform to now include advanced protection capabilities to solve intractable challenges in the cloud email security market and complement existing email security.

The ZeroFOX Advanced Email Protection suite includes capabilities that address Business Email Compromise Protection for Google’s G Suite and Microsoft’s Office 365 platforms, which identifies impersonation-based attacks targeting employees.

It also includes Email Abuse and Phishing Protection, which detects brand abuse, phishing and campaigns targeting customers and employees. With this email protection suite, ZeroFOX is the first company in the world to provide complete, omnichannel visibility and protection wherever modern digital attacks occur.

“Email continues to be a huge security headache for businesses as slowly-innovating, legacy vendors continue to fail the industry and our customers. With customers in more than 50 countries, ZeroFOX is proud to have earned global recognition as the best digital impersonation security vendor in the world and after repeated demand from our customers, we have extended our artificial intelligence analysis capabilities to now support cloud email platforms and protect against these modern threats,” said James C. Foster, CEO of ZeroFOX.

“With the introduction of the Advanced Email Protection Suite, we now have coverage from impersonation-based attacks to phishing to malware, wherever threats exist: on email, social media, mobile, surface, deep and dark web, Slack, and other digital engagement platforms. Wherever our customers engage – whether with their customers or internally between employees – they are protected!”

Business email compromise (BEC) is a complicated problem and is costing organizations billions of dollars in damages and lost revenue. What’s more, legacy email security gateway tools are not adequately innovating to address the underlying problem – namely fraudulent impersonations.

With the launch of Advanced Email Protection, ZeroFOX not only alerts security teams but provides detailed user warnings explaining why an email is suspicious and remediates the attack in real-time, blocking throughout the client’s infrastructure and disrupting the entire attacker kill chain by leveraging ZeroFOX’s Takedown-as-a-Service platform.

According to Gartner, “Email threats have become sophisticated to evade detection by common email security technologies, particularly those that rely only on standard antivirus and reputation. Email threats are also being blended, combining social engineering, identity deception, phishing sites, malware and exploits.”

ZeroFOX’s Advanced Email Protection suite is powered by award-winning AI capabilities and is designed to seamlessly support and complement Google and Microsoft’s cloud-based email platforms and other legacy secure email gateways.

Today, most email security solutions focus on flagging potential spam, blocking known malicious senders, and filtering out malicious links and attachments – all tactics that only temporarily inhibit but do not thwart an attacker.

Additionally, these vendors spent years working on disaster recovery, archiving, and compliance capabilities that are now delivered out-of-the-box by Microsoft and Google.

ZeroFOX’s Email Abuse and Phishing Protection adds new capabilities to these existing defenses, as opposed to redundant features, by leveraging often overlooked data from sources such as [email protected] inboxes and DMARC failure reports to address the threat at the source.

Working on an organization’s behalf to disrupt the entire kill chain to thwart future attacks, ZeroFOX ensures no threat is missed and alleviates work from overburdened security teams.

ZeroFOX prevents the attacker from continuing to create more email addresses and conduct more attacks at scale by taking down the entire attacker’s offensive infrastructure.