Matt Miller Social Engineering Social Engineering, vishing

Vishing – Phone Based Social Engineering

In our social engineering assessments, we typically utilize three different types of social engineering attacks: vishing, spear phishing, and bulk phishing. Most of our clients are familiar with phishing and spear phishing, but have questions about vishing. In this blog, we will talk about vishing, go over a typical attack, and explain why it can be so effective.

Vishing – What Is It?

Simply put, vishing is a social engineering attack that utilizes a phone call as part of the attack. In a vishing attack, an attacker calls the victim and entices them to provide sensitive information, click a link, or perform an action they otherwise would not perform. Now at this point, you may be wondering exactly how this works and what it looks like. You would probably be even more surprised that this is the most effective form of social engineering we perform. We typically see between 80% to 90% of the victims we contact fall for this type of attack. However, if I called you right now and asked for your password there is no way you would just give it to me, so how can this be? Let’s go over a sample vishing attack.

A Typical Attack

For our simulated attack, lets pick on ACME corporation. They are a large Fortune-500 retail organization that sells anvils to animated coyotes. Because they are a large organization, it is safe to assume that they have a lot of employees. It is also extremely likely that their employees don’t all know each other. Using this to my advantage, I will do some open source reconnaissance. Using websites like LinkedIn and some crafted Google searches, I will try to piece together a few things. First, I want to find an employee who is relatively new and part of the IT or software development team. Once I find one, I need to find his or her email address (typically first.last@acme.com) and a phone number for that employee or the overall company help desk. Once I collect that information, I have what I need to impersonate this employee.

Next, I will go to Google, buy a domain, and create an email address for that domain. A quick search reveals that I can purchase acme.training for $30 a year. Let’s get that and for an additional $5 we can add an email address, so we pick something like helpdesk@acme.training. Now that we have the domain, we need to set up a corresponding website that we’re going to use as part of our attack. I will usually search for a normal Acme employee logon page of some kind that is accessible from the Internet. If I can find one, then I can just clone the page, making my new, malicious website look and feel just like the other login portal that the employees are used to seeing.

The key difference between this portal and an employee portal is that it doesn’t actually validate your credentials when you hit logon. Instead, it just saves the username and password in a text file on the server that I control and redirects the user to another page. This allows me to harvest their credentials and then reuse them to gain access to things like email, VPN, etc. To take this attack a step further, I want to try to get them to download and execute a malicious file after they login, giving me remote access to their machine. To do this, I can redirect them after they “login” to a compatibility page. On that page I will might just list hundreds of fake requirements and different software versions that you might see on a typical software page (e.g. Adobe software requirements). Then, I will include a link at the top for a compatibility check script, which will download a malicious file to the user’s machine.

Now we are ready to make the phone calls that tie all those pieces of this attack together. Using SpoofCard, I can spoof my phone number to look like it’s coming from any number I want it to, such as the Acme’s help desk number and then place a call to a target. Here is a typical transcript of how that conversation will go from my perspective:

Good morning is this John Smith?
Great this is Joe Schmo from the IT department, how are you doing today?
Good! The reason I am calling is that we are setting up a new ACME training portal and I need to call a few people from each department to ensure it is going to work properly once we roll it out. This should only take a couple of minutes. I just sent you an email from our Help Desk email address, have you gotten that yet? [Sends Email]
OK, in that email there should be a link to the new portal. It should just be acme.training. If you can just click that link and login using the same credentials you use to login to your computer. Let me know when you get logged in and I will guide you through the rest of the process.
Perfect, now you should be on the compatibility page. Don’t worry about reading all those requirements, we can deal with that later if we need to. At the top, you should see a link for a compatibility checker, this will run a script that will check to make sure the website is going to work with your computer. If you go ahead and click on that, it should download a file. Then just click and run that file. [waits for connection from victim’s machine]
Ok, it looks like that worked and everything is working as expected. That’s all I need for now. Thanks very much for your time and have a great rest of your day!

As you can see, by the end of this call, I have the victims username and password and remote access to their machine. From here, I can use their system to pivot and attack the rest of the internal network.

Why Vishing Is So Effective

As I stated above, vishing is our most effective social engineering attack. Here are a few reasons why:

The victim can’t just ignore the email. Because we are on the phone with them, there is more pressure and urgency for them to comply.
Additional factors of trust are in place. With a vishing attack, the phone number looks like an internal number and we are posing as a valid Acme employee. So even if they look us up in the employee directory (which is pretty common), it will check out on the surface.
Employees are non-confrontational. Even if they have suspicions, most employees do not want to be confrontational with another supposed employee. With only an email, you can just ignore it or report the email.

Summary

Hopefully this was a good introduction to vishing. By the end, I hope you can see why it is so effective and you have a better understanding of the risk to your organization. Remember in a real-world attack, once I get one user to fall for it, I am just going to use my access to further attack the network and gain sensitive information. Most likely, I won’t need a second or a third phone call, and wouldn’t risk getting caught by trying my luck again. In our social engineering assessments, we will keep calling to ensure we get a holistic view of your risk and survey a representative sample of your employees. If you would like to discuss the benefits of a social engineering assessment further, reach out to us.