Phishing – the theft of users’ credentials or sensitive data using social engineering – has been a threat since the earliest days of the Web, and is still the main weapon in a hacker’s arsenal today for one simple reason: it works. Verizon’s Data Breach Investigations Report shows that phishing is one of the biggest security threats to organisations, as over 30% of all breaches resulted from it. Hackers have ramped up their phishing attempts since the start of this year, to try and steal employees’ login credentials and take advantage of the mass migration to remote working during the pandemic.
To do this, some hackers have gone beyond the usual email scams and revived the old-school technique of vishing (voice phishing by phone), in which they target individuals and attempt to get them to divulge login details or other sensitive credentials during a call. These hackers have also updated this old-school scam with some new tricks to help them overcome suspicion and improve their chances of success.
This research details scenarios where attackers have successfully used vishing to gain access to corporate systems, describes a WhatsApp account takeover, and details tricks that hackers use to make their vishing schemes more deceptive.
Recent surges of sophisticated vishing attacks in the media have caught the public’s attention. In August 2020, Cybersecurity and Infrastructure Security Agency (CISA) and the FBI issued a joint advisory warning of a wave of vishing attacks targeting US private sector companies. According to the advisory, threat actors typically call employees working from home to collect login credentials for corporate networks, which they later monetise by selling the access to other groups.
According to a recent article on KrebsOnSecurity, a professional cybercriminal group has been offering vishing attacks for hire. The group serves customers seeking access to specific companies. They target employees who work from home, attempting to obtain their VPN credentials and thus gain access to the company network. The attack combines a one-on-one phone call with credible-looking phishing sites where the user is required to fill in their credentials and if necessary their multi-factor authentication (MFA) codes.
Before they make their vishing calls to employees, the hackers compile information on their targets from public profiles on social media platforms – primarily LinkedIn – to create a convincing persona when they make their calls and present themselves as corporate IT help desk representatives.
Independent attackers or small cybercriminal groups are commonly behind such attacks, but recently we have witnessed APT groups integrating vishing into their arsenal. Government backed groups, such as the Iranian Charming Kitten and the North Korean Lazarus groups, use vishing as part of complex phishing attempts. However, advanced cybercrime groups have also adopted vishing as an efficient and more controlled tactic to ensure the success of the phishing phase. One such group is Evilnum, an espionage group that targets selected Fintech companies engaged in e-trading and investments in Europe. The group uses tailored vishing as part of an attempt to lure the company into executing its malicious files – starting with a phone call to account managers in which the attackers show interest in becoming customers of the targeted companies.
The roots of vishing: Tech-support scams
So where does vishing originate from? It has its roots in the infamous tech support scam. In this scam, individuals receive a pop-up alert on their PC notifying them that their computer has been breached or infected with malware and that professional phone support is required to help fix the ‘problem.’ Alternatively, users receive phone calls from alleged tech support representatives from reputable software providers, claiming they have detected malware on the target’s machine. They then try to convince the user to download remote access software under the pretext of assisting them in mitigating the incident. The attacker then installs real malware or a Remote Access Tool on the victim’s machine, in addition to requesting a payment for the service, thus receiving the victim’s financial information as well.
The usual targets for these scams are older individuals who may be less tech-savvy. According to the Federal Trade Commission (FTC), in 2018 these scams led to the loss of US$55 million. Adults over the age of 60 are about five times more likely to report losing money on such scams.
Tech Support Scam – Windows Defender version. Source: BleepingComputer
Hijacking Instant Messaging Apps
Another type of vishing attack vector offers a bypass to the 2FA security mechanisms used on various websites and mobile apps. Two-factor authentication (2FA) is the most common form of MFA (Multi-Factor Authentication) today. It requires two types of information from the user: one that the user knows (ID number, password, phone number, etc.), and one that the user has, such as a one-time password (OTP) that they would typically receive via SMS.
In a vishing attempt, attackers used a victim’s phone for authentication and then casually request the user’s 2FA code, available only to them, over a phone call, pretending to be a support representative in the process of aiding their customer. If the victim discloses the code, the attacker is granted full access to the account; which could be a financial/bank account or instant messaging app.
A recent campaign attempted to takeover WhatsApp accounts, prompting victims to handover 2FA codes sent via SMS. Once successfully hijacked, the victims’ WhatsApp is leveraged for spraying the attack against all of the victim’s contacts.
Examining the modus operandi of such calls, we can see that while a well-known company’s identity or brand is often leveraged for the scam, the targets are widely distributed and anyone can be attacked. The scammers’ goal could be financial theft and/or espionage. They therefore ‘distribute’ the scam to the masses, either general population or tens of employees within a targeted organisation – hoping that as many users as possible fall victim. We can assume that the target list is assembled of leaked customer databases, employees whose phone numbers are publicly available online etc.
Targeted Corporate Vishing
In July 2020, Twitter suffered an unprecedented attack and hackers gained access to dozens of Twitter’s most high-profile accounts, including Barack Obama, Joe Biden, Jeff Bezos, Elon Musk and others. The attackers tweeted a bitcoin requests which yielded more than US$100K in a few hours. It was later discovered that the attack was initiated by a vishing attack that convinced Twitter employees to grant access to Twitter internal tools.
This attack hints at the nature of the current wave of sophisticated, well-planned phishing attacks targeting major organisations. Unlike traditional tax or social security-related scams, these attacks specifically target carefully selected users by gathering extensive information about them from their social media profiles and other publicly-available resources, and choosing employees deemed most likely to cooperate prior to making the call. The chosen employee therefore has to be a person with access to the desired resources, or at least adequate corporate credentials.
Vishing can also be a single step in a sophisticated, multi-stage attack. In a campaign affiliated with North Korea, vishing was used after initial contact between the attacker and the victim was made via email, to lend credibility to the attacker and eventually lure the victim into opening a malicious file. The campaign targeted government entities and attackers successfully gained access to their networks by targeting a single employee, offering them a ‘dream job’ at a prestigious company. The ‘recruitment process’ would eventually result in an alleged contract sent to the victim via email, to be opened on the corporate desktop. In the process, a phone call alerted the candidates that a contract would be sent to them shortly.
As mentioned above, vishing can be integrated into a multi-stage attack in various ways. Below are three options:
Attack Flow No. 1 – Vishing as the initial stage of a distributed end user attack
Attack Flow No. 2 – Vishing as the initial stage of a targeted corporate attack
Attack Flow No. 3 – Vishing as a middle stage of a targeted corporate attack
Remote Employees and New Hires
The social distancing demanded by COVID-19 has resulted in many changes to the way we work. Massive organisations shifted their structure to accommodate a remote workforce with access to corporate resources via RDP and VPN connections. This presents many opportunities for vishing operations, as attackers can easily pretend to be a colleague in need of assistance with VPN access, corporate credentials or other company information over the phone. Attackers tend to include the company name as well as keywords such as “ticket”, “case” and real team names in the call to make it casual and reliable.
New hires are the prime target for this attack. Newly hired employees are an easy target as they don’t know many people within the organisation and are likely to be contacted by multiple company representatives – tech support, HR, maintenance, colleagues they’ve never met, and more. Therefore, they are more likely to divulge their credentials to a caller offering software installations, security check up or system updates.
“Social Engineering for Hire”
The people behind voice phishing attacks vary. They could have a proficient English level and be hired by attack groups to perform the calls, likely using a pre-written script, in exchange for a small monetary amount. However, they could also be independent hackers specialising in social engineering attacks who are capable of conducting an end-to-end vishing operation including the reconnaissance stage which precedes the actual call. Recent research reveals that such actors are currently recruited in online hacking forums, with recruiters promising great pay for their talents.
Example of a “Social Engineer Needed” post from OGusers hacking forum
Recently, Check Point Research was asked to investigate two vishing attacks against an international corporation’s employees. The company received six vishing phone calls within three months: two of them are presented here in detail.
The First Call – late June
The attacker called the company’s technical support center via a publicly available number and requested to speak with a representative. Based on the conversation, the caller contacted a specific support center, but was automatically redirected. Based on the area code, it appeared that the call originated from Miami. After further investigation, we discovered that the same phone number has been used and reported as phishing by users in South Asia – Singapore, the Philippines and Japan, Europe – the UK, Poland and Bulgaria. Individuals reported that callers from the same number asked for contact details of fellow employees.
Phone number report history on the phone lookup service ‘spamcalls.net’
The attacker introduced herself as an existing company employee, whose appearance matched the caller’s accent. We can assume that the caller was carefully selected to match the description of the employee used as cover, and that attackers verified that the employee was still working at the company. During the call, the attacker requested the phone number of two other employees – both of them real company employees. The request was polite and accompanied by a spelling of the name, and shortly after that, the caller suggested the recipient install TeamViewer – a remote control application – allegedly to help the recipient locate the desired phone number. Overall, the caller demonstrated high acumen. It is likely she was reading from a script to assure the use of proper grammar.
Below is a partial transcription of the call. Please note that all names were replaced to protect the targets’ identity:
The Second Call – Early September
Similar to the above incident, the attacker reached out to the company’s technical support center via a publicly available number and requested to speak with a representative. In this case, the attacker used a cover story involving a major telecommunication company – in return, the representative was more suspicious then before. This time, she used a phone number with no known spam reports found online, affiliated to San Francisco.
Below is a partial transcription of the call. All names have been replaced to protect the targets’ identity:
The phone calls
To summarise, in this new vishing wave attackers are definitely doing their homework before making their calls. In both cases, an existing company employee was selected, and a decoy story was fabricated. Interestingly, the employees whose numbers the attackers attempted to obtain in the above calls are part of the same department. It is possible that sensitive company information belonging to the department in question had been selected in advance – perhaps by a potential buyer, or due to its unique value.
Key factors for a Successful Vishing Operation
To conduct a successful vishing operation, an attacker must take advantage of the following three key factors:
- Intelligence – the scam callers used existing employee names as a cover story tailored to the situation. This could be based on LinkedIn research, mapping of the organisational structure, detecting key employees with outstanding access to resources etc.
- Operators – as detailed above, attacker eagerly recruit speakers who have proficient English or skilled social engineering experts to make the calls. Based on the call transcriptions we obtained, we assume that when the speaker is not an experienced attacker, a tailored script is written for each operation in advance, including various replies for multiple scenarios.
- Phone infrastructure – the attackers could use landline or wireless (mobile) phone lines. They could also use VoIP – Voice over IP, requiring a VoIP server. When using phone lines, we could assume that the attackers change the phone number on a regular basis, to avoid being classified as a source for fraudulent calls. When using IP phones, we must take into account that the attackers could use VoIP lines obtained illegally – by hacking into a company network and utilising its VoIP infrastructure, usually located on the corporate network.
Protecting against vishing scams
- Unless you are absolutely certain that you know who you’re speaking to, never give out personal information over the phone, especially payment-related details
- If you are uncertain about the identity of the caller, ask for their number and call them back. While still on the phone, look for their number on the Web to verify authenticity
- Never agree to conduct wire transfers or “virtual” payments to callers you do not know
- Knowledge and education are key. The more alert you are to these types of scams, the less likely you are to fall victim to them
- Hanging up on suspicious or unverified calls is never rude or a bad habit
- Make it a point to report suspected calls or fraud attempts to your bank as soon as possible
After investigating these vishing attacks, there is no doubt that this fraudulent practice is making a comeback. Attackers are using vishing phone calls as part of a sophisticated attack chain to overcome security hurdles such as 2-factor verification, and as a complementary phishing step to a broader deception scam. The targeted companies we mention in the examples are still receiving fraudulent calls, currently with no documented success.
We can also assume that if the type of targeted vishing mentioned here continues to prove successful, more nation-state actors and elite ransomware groups will adopt the technique. For now – the most important prevention step is to raise awareness of these returning attack vectors, especially among call center representatives but generally, across all organisations in combination with the network and endpoint security products.