We define vishing as the practice of eliciting information or attempting to influence action via the telephone. The goal of vishing is similar to phishing. Obtaining valuable information that could contribute to the direct compromise of an organization by exploiting people’s willingness to help. Attackers can “spoof”, or forge, the target organization’s outgoing phone number. They will also pose as an authority figure, technician or fellow employee to obtain sensitive information. Some attackers may use voice changers to conceal identity.
Vishing is one of the most successful methods of gaining information to breach an organization. In deed, vishing or telephone fraud cost Americans $10.5 billion in 2018 alone. Obtaining information such as employee ID numbers, social security numbers, user credentials, home address or any information about the technology or processes a company uses can be considered a success. This information can then be used for further information gathering. Or to impersonate an organization’s employee, vendor or partner to successfully breach an organization or gain access to a specific customer’s account.
NOTICE: Never use this information to perform illegal acts! We discuss these details to help organizations become offensive about possible social engineering attacks. Additionally, this information will help organizations to mitigate against these attacks.
Customer Support/Helpdesk Personnel
Help desk personnel are some of an organization’s most vulnerable staff members. This is because their job is to provide “help” in a friendly and polite manner to callers. This is often exploited by an attacker to learn sensitive information.
Attackers usually obtain phone numbers from an organization’s website in addition to any specific routing emails used for customer support. Attackers may call from a spoofed, blocked, or private phone number. These attackers will attempt to gain as much information as possible. Such as:
- Direct phone numbers,
- Employee titles and/or ID’s,
- Social security numbers,
- User credentials, and
- Any information about the technology or processes a company uses.
An attacker posing as a customer can usually cull enough information from social media and other sites to answer simple security questions. The attacker could also ask for a password reset. Or try to change something on a customer’s account in order to have access to it themselves.
The Mumble Technique
Generally, criminals use the mumble technique to target CSR’s/call center agents. An attacker mumbles a response to a question in hopes the call center agent will allow it to suffice. Additionally, attackers may use the mumble technique to impersonate an impaired customer or as a person calling on their behalf. In this report, online information brokers successfully use this scheme to dupe employees of Verizon Wireless. The result? The online brokers were able to obtain thousands of private cell phone records which they then sold.
One example of a tech support vishing attack is when an impersonator calls targets in reference to a real or imagined issue such as network speed or problems with badging. The attacker uses technical jargon to explain why they need the employee to answer a few simple questions, which could include the person’s company ID or badge number, first and last name, job title, and even social security number.
Vishing Rogers Communications
In March 2015, a group of attackers were able to gain access to 50-70 internal records for Rogers Communications’ business customers.
With one phone call and a solid story, the attackers were able to convince an IT support agent to provide the login credentials for a specific Rogers Communications employee. With the email address and password in tow, attackers were able to access the entire portfolio of medium sized businesses managed by the targeted employee. While no personal or financial information was contained in the agreements, it’s never fun to have to disclose an unauthorized access event to customers.
Microsoft Windows XP Solutions Architect
This vishing attack involving the impersonation of a Microsoft solutions architect has been around since at least 2009 and has targeted individuals in numerous countries, including the U.S., Canada, Australia, New Zealand, Ireland, and England.
The attackers would call a target posing as a member of Microsoft technical support, informing the victim that their computer was infected with a virus, causing it to generate all sorts of error messages on the Internet. In order to fix it, the person would be told they needed to download a piece of software. The ultimate goal of the attack varied depending upon the individual running it. Some attackers sold victims fake anti-virus protection. Others would directly go after the victim’s bank account information. Some would take remote control of the victim’s computer. The most common goal was to get the victim to navigate to a website and download a special “solution” which was actually a piece of malware.
Going forward another decade, Microsoft announced the end of support for Windows 7 on January 14, 2020. And, criminals were quick to take advantage and start vishing for victims. Known as the “Expiring License” scam, criminals call to suggest upgrading to Windows 10 or simply to let you know that the license is expiring. Of course their intent is anything but helpful. The goal is to gain remote access to victims’ computers and thereby access to banking information and login credentials.
London Hedge Fund Loses $1.2 Million on a Friday Afternoon
In July 2015, the Chief Financial Officer of Fortelus Capital Management LLP, a London-based hedge fund, received a phone call. The call came just as he was about to depart the office for the weekend. The caller identified himself as a financial representative from Coutts, the hedge fund’s bank. The caller advised the CFO that there were 15 suspicious charges on the company’s account. These charges needed to be immediately cancelled. The CFO agreed to generate codes from the bank’s smart card security system to assist the caller with the removal of the “fraudulent” charges. The CFO, thinking he had solved the problem, hung up shortly after 6 pm and left for the weekend.
The following Monday, when the CFO logged in to the company’s bank account, he discovered that 742,668 pounds (that’s $1.2 million USD) had been withdrawn from the organization’s account. The CFO quickly called the bank, which had no record of the Friday call. In response, Fortelus fired the CFO. And to top it off, he is now being sued by the organization for failure to protect the company’s assets.
Vishing Scam Impersonating Microsoft and Apple
In 2019 this vishing scam targeting IPhone users started making the rounds. What made this vishing scam so dangerous? It spoofs Apple’s customer support phone number and mimics Apple’s logo. Because of the high-threat the scam poses, iPhone users are cautioned not to answer calls from Apple unless they have requested one using the official Apple online support page.
Vishing Attack—Impersonating the IRS
In 2019, vishing scams topped the IRS “dirty dozen” list of annual tax scams due to their pervasive and persistent nature. Attackers reportedly used advanced tactics such as phone spoofing to make the call seem more legitimate. Attackers would also use fake IRS badge numbers for reference. The bad actors were quite aggressive in their approach. Issuing threats of what would happen if the target did not “pay immediately.”
Penetration Testers and Social Engineers
Pentesters primarily use vishing in security audits for the following purposes:
- Simulated attacks are an effective way to assess vulnerabilities.
- Extensive reporting provides actionable data about employee responses to various vishing attack scenarios.
- Ability to identify which departments or employees are most susceptible.
- Based on results from vishing assessment, develop a continuous assessment and training process to successfully combat vishing attacks.
Professional pentesters use the following equipment when simulating a vishing attack:
- Phone line, land line, cellular phone, burner phone, VoIP (internet phone) … as long as you can make the call, it all works.
- Spoofing technology—software, service or self served.
Pentesters also prepare the following:
- Pretext—know whom you are impersonating so well that you are comfortable conversing and answering questions.
- Flag/goals—know what information you need to obtain and the questions you can ask to elicit that information.
Vishing attempts are difficult to monitor and trace. And attackers are increasingly leveraging this mechanism to extract information and compromise organizations. Security awareness training equips leadership to know how their organization will respond to vishing attacks.