Beware of Phishing Campaign Impersonating VPN Providers in the US

Malicious actors are targeting employees in the US by impersonating VPN providers used by their companies, according to the GuidePoint Research and Intelligence Team (GRIT). This ongoing phishing campaign has already impacted over 130 organizations in the US.

The threat actor behind this campaign has registered domain names that closely resemble the VPN providers used by the targeted organizations since June 26th, 2024. They often call individuals pretending to be from the help desk or IT team, claiming to resolve a VPN login issue. If successful, the threat actor sends the user an SMS link leading to a fake VPN site.

Custom VPN login pages have been set up for each targeted organization, with domain names like ciscoweblink.com and vpnpaloalto.com. These fake pages mimic the legitimate ones, collecting usernames, passwords, and tokens, even bypassing multifactor authentication.

Once access is gained, the threat actor scans the network for targets for lateral movement and further escalation. GRIT warns that this social engineering tactic is hard to detect, as it occurs outside traditional security tool visibility.

Users are advised to check logs for suspicious VPN activity within the past 30 days and report any signs of compromise to their security team. Vigilance is key in combating these sophisticated phishing attacks.