Explaining the Com Vishing Attacks

Introduction

Malicious actors have been targeting English-speaking companies using Salesforce to exfiltrate data and obtain credentials. They specialize in vishing campaigns as well as fake landing pages to harvest the users’ credentials. They then use those credentials to exfiltrate whatever data an account has access to or use that account for a lateral attack.

Google gave this group the alias of UNC6040, and according to Google, this group performing the vishing attacks shows similar characteristics to a group known as The Com. A lot of damage can be done by merely putting on the guise of an established vendor.

Analysis

Vishing attacks can consist of malicious actors calling personnel under the guise of accredited companies, in this case Salesforce, to obtain credentials or to perform actions to assist the malicious actors in their endeavors. The credentials can be either given verbally, or the attacker can lead the user to a fake landing page to input credentials.

A fake landing page is a fake login webpage users visit to harvest their credentials or exfiltrate data. In many cases, this page is made to look like the actual vendor's login page. In this particular case, a “My Ticket” landing page was used to trick users into entering their credentials into the fake landing page. In some cases, this attack also used pre-recorded messages to harvest credentials while helping conceal the attacker’s identity.

Signs of Vishing

Some common red flags of vishing can include a false sense of urgency, threatening language, or unusual requests for sensitive information. A false sense of urgency or threatening language can put pressure on the user to comply with the malicious actor's demands, especially when they are disguised as an accredited vendor.

Whenever an outside actor asks for sensitive information, it should be an obvious red flag, but users still get caught up in the false sense of urgency and offer up information that can compromise their organization. Thus, making personnel training crucial to defend and prepare for these types of attacks.

User Training

Around 20 organizations have been breached in the past few months by this group using these methods. It is important to note that these breaches did not involve exploiting any vulnerabilities in their environment. The success of these attacks depends entirely on whether the end user complies with their request. This emphasizes the importance of educating end users about vishing attacks.

Another great way of preparing for these attacks is to simulate vishing campaigns to test adherence to security policies and help personnel develop discipline in keeping their composure during these attacks. These vishing campaigns can even include spoofed phone numbers and fake landing pages to mimic how real malicious actors breach organizations.

Conclusion

Organizations can have the best security controls, but if one employee falls victim to one of these attacks, the entire organization could be breached. Emboldening personnel's resilience to these attacks through experience can be critical to preventing a breach.

TraceSecurity offers vishing campaigns utilizing tactics real-world malicious actors use. These tactics include spoofed phone numbers, impersonation from accredited companies, and fake landing pages. TraceSecurity’s vishing campaigns provide an opportunity to prepare for real-world attacks before they happen to your organization.