Lessons from Real World Vishing
Vishing is often the component of social engineering that people are the most nervous about. If you want live proof of this, stop by the SEVillage at DEF CON and you can see exactly how nerve-wracking vishing is for the contestants.
Compared to a phishing email, the risk with vishing feels higher – if you get caught, the target will call you out directly on the line, and the reality is, most callers are not equipped to handle it. There is also the chance that the target will refuse to comply with your request, whether the call seems suspicious or the individual is just plain uncooperative; this can and will happen. When challenged, it’s best to roll with the punches and leverage the information you did obtain. You can also opt to end the call and try again on a different target but never, ever break character!
When I was in college (gooooo DAWGS) I often found that a great way to prepare for an upcoming exam was to make a trip to my sorority’s test vault where I would have the opportunity to leverage existing tests from older sisters who had already taken the same course. I would learn from past mistakes and how to maneuver the tricky parts. This month I have taken a dive into the SE vishing vault. I have pulled, sanitized and transcribed a random vishing call to help educate our readers on phone elicitation techniques.
Before we get to the call transcript, I would like to stress the value of voice elicitation for OSINT. Even if you are unsuccessful in obtaining a compromise on the first call, voice elicitation is a very powerful tool for obtaining information. This information can be applied in other elicitation attempts to build credibility, resulting in a strong compromise. On the flip side: If you receive an unsolicited call, do not give out ANY information without first verifying the identity of the caller.
The following is a transcript from a real vishing call. Please note this information has been sanitized, no real names, numbers or information have been disclosed for this educational exercise.
Visher: “Hi it’s Britney Simon calling from Real Estate and Facilities, how are you today?”
The target is likely wondering why they have received an out of the blue phone call from a department they’ve never interacted with. A strong opening with an authoritative voice is key to making the target feel obligated to comply with upcoming requests.
Visher: “Well the reason why I’m calling is because we just conducted an upgrade to our badging system last night and in doing so suffered some pretty widespread data corruption. Right now we’re just trying to get the mess sorted. About 500 or so employee accounts have been flagged for data corruption leading to issues with badges and your account was one of them.”
The hardest part of talking to strangers is getting them to engage. I have outlined a problem that has not only impacted my target but also a large set of other individuals and an immediate need to fix it. By incorporating this group mentality, my target does not feel alone and will be more likely to comply with the request. Remember: it is human nature to help, and we as social engineers want to elicit this natural desire.
Visher: “I’ve been tasked with getting this remediated as quickly as possible, so I first need to verify that you haven’t had any access issues with your badge today.”
Target: “No, um, it even works on the printer and everything.”
The target has just provided me with a new bit of information that I did not know before. ID badges are also used at the printer. This bit of information makes the call a success even if the end result is a shutdown. Why? Because now I can incorporate this into my initial pretext on the next call to seem more legitimate. I might says something like “I first need to make sure you haven’t had any issues with your badge today – I can see you’ve used the printer a lot but I don’t see any entry and exit logs for today- did you follow someone in?” Of course if this is incorrect the person will want to figure out why their information is incorrect in the system and odds are they will provide any information necessary to remediate it.
Visher: “Alright, that is really interesting, so what I need to do now is figure out why your account has been flagged and see about getting that removed.”
Visher: “Please bear with me while I try to figure this out – I am going to run through the information I have attached to your account really quick just make sure that what we have in the system is accurate, now… I’m showing that your department is Benefit Contracting.”
Note the tone here is very polite but still authoritative. If the tone of this conversation was less authoritative the target would perhaps not feel as though their cooperation was imperative. Note the lack of time between requests. I asked the target to bear with me while I figured things out but then immediately dove into a request to verify the target’s department. thereafter. The target did not have time to fully process the request and therefore was more likely to proceed with verification of information.
Target: “Yes, that’s correct.”
By verifying several small bits of information, I am further legitimizing myself, but also building on the sensitivity of the information I am looking to capture. This same technique can be used by telemarketers or those looking for a donation. In this situation, the request will start really large, “Would you be able to donate $500 today?” The answer will be no but then they continue, “We understand that’s a lot of money, so what about $150?” The answer will likely still be no. Eventually the request makes its way down and by the time the request is for $25 the target is far more likely to comply because it’s more reasonable than the initial request.This is known as the “Door in the Face” technique.
Visher: “And I see the best number to reach you is 888.777.9911 – and that your employee ID number is 123457.”
Often when conducting voice elicitation, I find great success when leveraging deliberate false statements. Deliberate false statements work best when followed by an ever so brief pause- it gives the target an opportunity to correct you. All of the previous information I have requested the target to verify to this point has been correct. However, I do not know the target’s real employee number. I am trying obtain this flag. By providing the incorrect number, most targets will automatically jump to correct it. No one wants to be labeled as the wrong thing, and everyone wants their employer to have accurate information because it’s how they get paid. However, this call is particularly interesting because this employee has verified that the false statement (in this case the incorrect employee ID I provided) is in fact correct. While I know this to be untrue, I cannot break character and call the target out for lying, so I am forced to continue on.
Visher: “Ok, hmmm… well if all of the information we have is correct, I am still trying to figure out why your account has been flagged. How many times have you printed today?”
Target: “I did once this morning and then once after lunch.”
Visher: “Hmmm, so twice – I am just looking at your account here and it’s showing me you’ve printed more times than that. So we may have someone else’s employee ID tied to your badge. What I’m going to have to do is a badge reset for you to ensure your physical badge is tied to your employee ID number and not someone else’s, (laughs) man what a day, this is such a mess.”
Target: (laughing too)“Ok sure.”
Visher: “Okay, can you tell me again your employee ID number? I just hit reset and it wiped the old one out.”
Target: “Yes it was 1234567.”
At this point I have successfully used information provided earlier in the call; the fact that the employee ID badges are used for printing to extract the correct employee ID number, even though the target shut me down initially by going along with a deliberate false statement.
Visher: “Okay so what I’m doing now is conducting the actual reset, give me just a second here…”
Target: “Okay no problem.”
Visher: “Now while I’m doing this, let me say, if you have any issues getting in and out of the building you can just give us a call back- let me just give you my direct number- and we can perform another reset. Are you ready for that? “
Target: “Okay, go ahead.”
Visher: “It’’s 877-777-1111”
By offering to provide a contact number (which isn’t actually real), I am making the caller feel more comfortable with me before I make a request for additional sensitive information.
Visher: “Now I have almost completed a badge reset for you, but the system is prompting me to verify that the last four digits of your social security number are 0123 to complete the reset.”
Target: “No, no, that’s not correct – it’s 1234.”
This time the deliberate false statement worked, helping me to obtain the last four digits of the target’s social security number. By now I have gained their trust.
Visher: “Oh goodness, I’m glad we caught that, you are definitely one of the accounts that suffered from data corruption, just a couple more seconds here and I am going to have you set to go.”
Visher: “Alrighty, we are complete with the reset and you are good to go.”
Target: “Ok thank you.”
Visher: “Have a great afternoon.”
Target: “Same to you.”
Visher: “Bye, bye.”
Why was this call successful? It is not because I am a mad genius.. It is because I am flexible and resourceful. Perhaps the greatest takeaway from the transcript above is how important it is to be flexible and think on your feet. Unfortunately, humans are not as easy to secure as web servers. All it takes is a single conversation and a few bits of information to lead to a compromise. The very best social engineers take a situation and maximize the resources available, but remember success is not guaranteed. Even if a vishing call does not result in a complete shut down, do not be discouraged, adapt the information you obtained and leverage it for an even greater compromise!
On the flip side, think very carefully about the information you give out. Even in a casual conversation, the most successful social engineers will be able to pick up on the tiniest details and leverage them against you.
Written by Jessica Clark