Vishing, or eliciting information over the phone, is a common social attack vector. It’s proven to be one of the most successful methods of gaining information needed to breach an organization, even when used by an inexperienced attacker. When you can’t hack your way through your pentest, when you can’t break in with your red-team, when your phishes are blocked or ignored…simply call someone up and get the info you need.
The question now being, how do we succeed? Let’s go over five easy points that contribute to successful vishing.
For our first point, let’s look to something Sun Tzu is often quoted as saying, “It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles…” A common, cliched saying, but very true in this context. Knowing as much about your target or targets beforehand is key. Every little piece of information can hold value in your engagement. Collect, categorize, and have your information ready during your calls.
Secondly, your pretext is vitally important to a successful engagement. There are many articles on formulating a good pretext, such as the one found on our framework in the Pretexting Section. This post may help you understand some basics to keep in mind. For instance, make sure any pretext you choose is going to match up with how you come across. If you are a young male, it is going to be very difficult to play the part of someone’s grandmother over the phone, and while it may be possible using other vectors, and even highly successful as a pretext, it’s most likely not going to be the best one for you. Also, it’s better to have a pretext that is something you are comfortable with, if not one with which you are familiar. Best case is having either experience in the field of your pretext or to have the pretext suit your personality or skills. This will allow you to adopt it more fully and carry it out more believably. Once you have your pretext in mind, become the pretext, act like the pretext, and talk like the pretext throughout the entire engagement.
Our third topic centers on another principle of influence, Commitment and Consistency. Once we are that person, we stay that person through both success or shutdown. The moment we break character is the moment red flags go up in our target’s mind. They don’t know we aren’t who we say we are and they often don’t know the value of the information they hold. This allows us to draw attention away from security awareness and be successful in becoming someone they trust. We maintain character despite everything they ask, throw, or say to us.
The fourth piece to our vishing puzzle is flexibility. There will be times when our information comes up short or our pretext is questioned and even the most consistent attacker ends up raising some flag in the target’s mind. We need to be flexible while being able to hold character without losing our cool, acting and responding as the pretext would. Our targets are human beings capable of infinite diversity and chaos. Things happen and we must adapt.
Our final, and maybe the most important part of this process, is documentation. Good documentation and notes are key. If at all possible, take notes either in physical, digital, or audio form while on your call. After a successful attack (or especially an unsuccessful one) notes can be very valuable to review. Documentation can provide key pieces of information for future attacks or provide hints as to why we succeeded or failed.
Let’s recap the five pieces to our vishing success:
- Knowledge is power so get as much of it as you can before you pick up the phone.
- A believable and appropriate pretext that you can pull off.
- Stick with your pretext, commit, and be consistent.
- Be flexible. Adapt without breaking character.
- Documentation. Take it seriously.
These five aspects will lead to success as a professional visher and can even lead to success despite “failures.” If you follow these principles you will find yourself growing to be an adept and proficient visherman. So, ‘til next time… “Gone Vishing.”