We define vishing as the “practice of eliciting information or attempting to influence action via the telephone.” Similar to phishing, the goal of vishing is to obtain valuable information that could contribute to the direct compromise of an organization by exploiting people’s willingness to help. Attackers can “spoof”, or forge, their outgoing phone number and pose as an authority figure, technician or fellow employee to obtain sensitive information that could lead to the compromise of an organization. Some attackers may use voice changers to conceal identity. Two common techniques we will discuss here are calling into customer service/helpdesk and calling an organization while impersonating tech support.
Vishing has proven to be one of the most successful methods of gaining information needed to breach an organization. It’s estimated telephone fraud leads to a global loss of about $46.3 billion per year. Employee ID numbers, social security numbers, user credentials, home address or any information about the technology or processes a company uses can be considered a success. This information can then be used for further information gathering, or to impersonate an organization’s employee, vendor or partner to successfully breach an organization or gain access to a specific customer’s account.
NOTICE: This information should never be used to perform illegal acts! We discuss these details to help organizations become offensive about possible social engineering attacks and to help mitigate against these attacks.
Customer Support/Helpdesk Personnel
Help desk personnel are some of an organization’s most vulnerable staff members since their job is to provide “help” in a friendly and polite manner to callers. This is often exploited by an attacker to learn sensitive information.
Attackers will usually obtain the needed phone numbers from an organization’s website in addition to any specific routing emails used for customer support. Attackers may call from a spoofed, blocked, or private phone number. These attackers will attempt to gain as much information as possible (including direct phone numbers, employee titles, address, social security number, and other information) about either the employee they are talking to or about a customer they are impersonating.
An attacker posing as a customer can usually cull enough information from social media and other sites in order to answer simple security questions. The attacker could also ask for a password reset or try to change something on a customer’s account in order to have access to it themselves.
The Mumble Technique
Generally, the mumble technique is targeted at call center agents. In this scenario, an attacker will mumble a response when prompted for a question in hopes that the call center agent will allow this mixed answer to suffice. In another situation, the mumble technique can be used when an attacker poses as an impaired customer or as a person calling on their behalf. Online information brokers used mumble attacks to dupe employees of Verizon Wireless into disclosing thousands of private cell phone records, which the brokers then sold. The attackers called customer service under the guise of a “special needs group” and requested account information.
Security education can help service representatives to politely do their job without compromising actual customers or company data.
Tech Support
One example of a tech support vishing attack is when an impersonator calls targets in reference to a real or imagined issue such as network speed or problems with badging. The attacker uses technical jargon to explain why they need the employee to answer a few simple questions, which could include the person’s company ID or badge number, first and last name, job title, and even social security number.
Equipment Needed for Vishing
- Phone line– Land line, cellular phone, burner phone, VoIP (internet phone) … as long as you can make the call, it all works.
- Spoofing technology – software, service or self served.
- Pretext – Know whom you are impersonating so well that you are comfortable conversing and answering questions.
- Flag/goals– Know what information you need to obtain and the questions you can ask to elicit that information.
Examples:
Rogers Communications
In March 2015, a group of attackers were able to gain access to 50-70 internal records for Rogers Communications’ business customers.
With one phone call and a solid story, the attackers were able to convince an IT support agent to provide the login credentials for a specific Rogers Communications employee. With the email address and password in tow, attackers were able to access the entire portfolio of medium sized businesses managed by the targeted employee. While no personal or financial information was contained in the agreements, it’s never fun to have to disclose an unauthorized access event to customers.
Microsoft Windows XP Solutions Architect
This vishing attack involving the impersonation of a Microsoft solutions architect has been around since at least 2009 and has targeted individuals in numerous countries, including the U.S., Canada, Australia, New Zealand, Ireland, and England.
The attackers would call a target posing as a member of Microsoft technical support, informing the victim that their computer was infected with a virus, causing it to generate all sorts of error messages on the Internet. In order to fix it, the person would be told they needed to download a piece of software. The ultimate goal of the attack varied depending upon the individual running it. Some attackers sold victims fake anti-virus protection. Others would directly go after the victim’s bank account information. Some would take remote control of the victim’s computer. The most common goal was to get the victim to navigate to a website and download a special “solution” which was actually a piece of malware.
London Hedge Fund Loses $1.2 Million on a Friday Afternoon
In July 2015, the Chief Financial Officer of Fortelus Capital Management LLP, a London-based hedge fund, received a phone call just as he was about to depart the office for the weekend. The caller identified himself as a financial representative from Coutts, the hedge fund’s bank. The caller advised the CFO that there were 15 suspicious charges on the company’s account that needed to be immediately cancelled. The CFO agreed to generate codes from the bank’s smart card security system to assist the caller with the removal of the “fraudulent” charges. The CFO, thinking he had solved the problem, hung up shortly after 6 pm and left for the weekend.
The following Monday, when the CFO logged in to the company’s bank account, he discovered that 742,668 pounds (that’s $1.2 million USD) had been withdrawn from the organization’s account. The CFO quickly called the bank, which had no record of the Friday call. In response, the CFO was fired from Fortelus, and to top it all off, is now being sued by the organization for failure to protect the company’s assets.
Vishing Attacks Make IRS Dirty Dozen List of Scams for 2015
In 2015, vishing attacks topped the IRS list of annual tax scams due to their pervasive and persistent nature. This year, attackers reportedly used advanced tactics such as phone spoofing to make the call seem more legitimate. The attackers were quite aggressive in their approach, with threats of what would happen if the target did not “pay immediately.” Attackers were noted to also use fake IRS badge numbers for reference.
These attacks signify the rampant use of vishing to scam individual users, particularly the elderly, new immigrants, or those who speak English as a second language. The Treasury Inspector General for Tax Administration (TIGTA) has received reports of roughly 290,000 contacts since October 2013 and has become aware of nearly 3,000 victims who have collectively paid over $14 million as a result of vishing scams.