Vishing commonly known as voice phishing, phone elicitation, or phone scams, is a rapidly growing social engineering attack vector. In fact, it’s estimated vishing or telephone fraud leads to a global loss of about $46.3 billion per year. Indeed, vishing is one of the most successful methods of gaining information to breach an organization.
At Social-Engineer we define vishing as the practice of eliciting information or attempting to influence action via the telephone. The goal of vishing is to obtain valuable information contributing to the direct compromise of an organization. Attackers may “spoof”, or forge, their outgoing phone number to add authenticity to their attack. Additionally, some attackers may use voice changers to conceal identity. They may pose as an authority figure, technician, or fellow employee. In this article we’ll discuss how frontline employees such as customer service representatives/helpdesk personnel are especially vulnerable to vishing, common vishing techniques and attacks, and how pentesters use vishing in security audits.
NOTICE: Never use this information to perform illegal acts! We discuss these details to help organizations become offensive about possible social engineering attacks. Additionally, this information will help organizations to mitigate against these attacks.
Vishing Frontline Employees—Customer Service Representatives, Helpdesk and Tech Support Personnel
Criminals seek out customer service representatives (CSR’s) and help desk/tech support personnel because their “help” training makes them easy targets. Their job is to provide “help” in a friendly and polite manner to callers. Indeed, they are among an organization’s most vulnerable staff members to vishing attacks.
Attackers usually obtain phone numbers from an organization’s website in addition to any specific routing emails used for customer support. Additionally, criminals can cull company information from social media platforms and other open source intelligence (OSINT). Attackers may call from a spoofed, blocked, or private phone number. These attackers will attempt to gain the following information:
- Direct phone numbers,
- Employee titles and/or ID’s,
- Social security numbers,
- User credentials, and
- Any information about the technology or processes a company uses.
Real World Examples
Twitter. This attack vector was successfully used in 2020 against Twitter. By impersonating internal Twitter employees, attackers made vishing calls to Twitter’s tech support and consumer services employees. The attackers instructions were simple, ‘we need you to reset your password’. A few employees were duped and followed the instructions. As a result, attackers gained valuable credentials such as, usernames, passwords and multi-factor authentication codes. With these credentials the attackers could now access the Twitter’s back end and start collecting information. Ultimately, this vishing attack led to the hijacking of high profile Twitter accounts.
GoDaddy. According to a November, 2020 report by security expert Brian Krebs, a vishing scam targeting GoDaddy support employees allowed attackers to assume control over at least a half-dozen domain names, including transaction brokering site escrow.com. Additionally, according to Krebs report, the attack on escrow.com redirected the site to an Internet address in Malaysia that hosted fewer than a dozen other domains, including the phishing website servicenow-godaddy.com. This suggests, according to Krebs, that the attackers behind the March incident succeeded by calling GoDaddy employees and convincing them to use their employee credentials at a fraudulent GoDaddy login page.
Often when criminals call the CSR/helpdesk/tech support personnel, they employ the ruse known as “mumble technique.”
The Mumble Technique
Generally, criminals use the mumble technique to target CSR’s/call center agents. An attacker mumbles a response to a question in hopes the call center agent will allow it to suffice. Additionally, attackers may use the mumble technique to impersonate an impaired customer or as a person calling on their behalf. In this report, online information brokers successfully use this scheme to dupe employees of Verizon Wireless. The result? The online brokers were able to obtain thousands of private cell phone records which they then sold.
Impersonating Tech Support to Vish Employees
Criminals may impersonate in-house tech support to target a company’s employees. They may use real or made up network speed issues or badging. They’ll use technical jargon to convince the employee that it’s “ok” to provide their company ID or badge number, first and last name, job title, and even social security number.
Vishing Attack—Impersonating Microsoft and Apple
In 2018, people reported losing over $55,00,000 in tech support scams according to the Federal Trade Commission (FTC). Which companies are impersonated most often? The well-known giants Microsoft and Apple. For example, in 2019 this vishing scam targeting IPhone users started making the rounds. What made this vishing scam so dangerous? It spoofs Apple’s customer support phone number and mimics Apple’s logo. Because of the high-threat the scam poses, iPhone users are cautioned not to answer calls from Apple unless they have requested one using the official Apple online support page.
Vishing attacks involving the impersonation of a Microsoft solutions architect have been around since at least 2009 and has targeted individuals in numerous countries, including the U.S., Canada, Australia, New Zealand, Ireland, and England.
Going forward another decade, Microsoft announced the end of support for Windows 7 on January 14, 2020. And, criminals were quick to take advantage and start vishing for victims. Known as the “Expiring License” scam, criminals call to suggest upgrading to Windows 10 or simply to let you know that the license is expiring. Of course their intent is anything but helpful. The goal is to gain remote access to victims’ computers and thereby access to banking information and login credentials.
Vishing Attack—Impersonating the IRS
In 2019, vishing scams topped the IRS “dirty dozen” list of annual tax scams due to their pervasive and persistent nature. Attackers reportedly used advanced tactics such as phone spoofing to make the call seem more legitimate. Attackers would also use fake IRS badge numbers for reference. The bad actors were quite aggressive in their approach. Issuing threats of what would happen if the target did not “pay immediately.”
These attacks signify the rampant use of vishing to scam individual users, particularly the elderly, new immigrants, or those who speak English as a second language. The Treasury Inspector General for Tax Administration (TIGTA) has received reports of roughly 290,000 contacts since October 2013 and has become aware of nearly 3,000 victims who have collectively paid over $14 million as a result of vishing scams. For more information on vishing and tax scams, please see this blog.
Why Pentesters Use Vishing in Security Audits
Pentesters primarily use vishing in security audits for the following purposes:
- Simulated attacks are an effective way to assess vulnerabilities.
- Extensive reporting provides actionable data about employee responses to various vishing attack scenarios.
- Ability to identify which departments or employees are most susceptible.
- Based on results from vishing assessment, develop a continuous assessment and training process to successfully combat vishing attacks.
Professional pentesters use the following equipment when simulating a vishing attack:
- Phone line, land line, cellular phone, burner phone, VoIP (internet phone) … as long as you can make the call, it all works.
- Spoofing technology—software, service or self served.
- Pretext—know whom you are impersonating so well that you are comfortable conversing and answering questions.
- Flag/goals—know what information you need to obtain and the questions you can ask to elicit that information.
Vishing attempts are difficult to monitor and trace, and attackers are increasingly leveraging this mechanism to extract information and compromise organizations. Employees in customer service, sales and HR departments are highly vulnerable to these types of attacks. Security audits that include simulated attacks such as Vishing as a Service®, are an effective way to assess vulnerabilities. However, the best way to ensure lasting behavior change is to teach employees how to identify and respond to vishing threats. All it takes is one vishing attack to potentially devastate a company.
Bonus: An Alarming Vishing Story
In July 2015, the Chief Financial Officer of Fortelus Capital Management LLP, a London-based hedge fund, received a phone call just as he was about to depart the office for the weekend. The caller identified himself as a financial representative from Coutts, the hedge fund’s bank. The caller advised the CFO of 15 suspicious charges on the company’s account that should be immediately cancelled. The CFO agreed to generate codes from the bank’s smart card security system to assist the caller with the removal of the “fraudulent” charges. The CFO, thinking he had solved the problem, hung up shortly after 6 pm and left for the weekend.
The following Monday, when the CFO logged in to the company’s bank account, he discovered that 742,668 pounds (that’s $1.2 million USD) had been withdrawn from the organization’s account. The CFO quickly called the bank, which had no record of the Friday call. In response, the CFO was fired from Fortelus, and is now being sued by the organization for failure to protect the company’s assets.