Fixxx
Moder
- Joined
- 20.08.24
- Messages
- 266
- Reaction score
- 488
- Points
- 63
Over 130 Companies Have Fallen Victim to Social Engineering
The GuidePoint Research and Intelligence Team (GRIT) has documented the activities of a highly sophisticated hacker group with significant skills in social engineering and network infiltration, including the ability to communicate in English at a native level. This group's attacks are targeting more than 130 American companies across various industries. The primary goal of the attackers is to obtain credentials and one-time passwords through social engineering aimed at individual employees within organizations. These methods remain undetected by traditional security measures, as the attacks occur outside the usual field of visibility: using phone calls to employees' mobile phones and SMS messages. Without notifications from users about such calls and messages, security teams may not even suspect a hacking attempt. The hackers continue their activities until they find a vulnerable employee.
Since June 26, 2024, the group has registered several domain names resembling the addresses of VPN services used by organizations. Among them are: ciscoweblink.com, ciscolinkweb.com, fortivpnlink.com, and others. The attackers call employees, posing as technical support, and inform them of login issues with the VPN, after which they send a link to a fake website. This site mimics the legitimate VPN login page but is designed to steal user credentials. The fake login pages are meticulously forged, including the names of the VPN groups used within the organizations. In some cases, fictitious groups such as "TestVPN" and "RemoteVPN" are added to enhance the effect of social engineering. Through these pages, hackers obtain the username, password and, if multi-factor authentication is used, the user token. If the system employs push notifications, the attackers ask the user to approve a request to complete the attack. Once access to the network via VPN is obtained, the hackers immediately begin scanning the network to identify targets for further advancement, maintaining access and escalating privileges. The primary objective of this group is financial gain: in the event of a successful breach, they steal data, destroy backups and ultimately deploy ransomware.