VISHING 101

DEFINITIONS

WHAT IS VISHING?

Vishing attacks are directed at specific individuals and employ social engineering techniques, often in combination with spoofed caller IDs and personal information gained through other hacking attacks. They manipulate the call recipient into a false sense of trust in order to extract from them sensitive or protected information. When perpetrated on an employee (who may be particularly vulnerable when in a helpdesk, customer or tech support position), the damage could be catastrophic with prospective loss of proprietary information, financial theft, public relations fallout and costly exposure to regulatory breach.

HYBRID VISHING

Tandem approach using email and related live phone call with the same message so victims are more likely to trust its legitimacy and level of urgency.

Similar to the above scenario, in this case the adversary, often working with a teammate, delivers an email to targeted employees with enough personal information to lend it credibility and then follows that with an immediate phone call delivering the same message. An employee may be suspicious of one approach or the other, but when in combination, it provides a greater sense of legitimacy and urgency. Again, if a voice connection is made, the skilled criminal visher uses social engineering techniques to coerce the employee into divulging sensitive information or providing access to internal systems and data.

Callback Phishing

Callback phishing, also referred to as telephone-oriented attack delivery (TOAD), is a social engineering attack that requires a threat actor to interact with the target to accomplish their objectives. This attack style is more resource intensive, but less complex than script-based attacks, and it tends to have a much higher success rate.

Autodial Robocall (Wardialing)

Recorded voice message with an urgent or threatening tone demanding an immediate call-back and delivered to a large pool of recipients via computer-generated autodial calling.

In this basic, automated approach, the adversary, using a spoofed (digitally altered) Caller ID, delivers an urgent pre-recorded message via auto-dialer to specific regions or sequential numbers within the organization’s exchange range (also sometimes referred to as “wardialing”). The message appears to be from a trusted source such as a bank or government agency, and includes a call-back phone number. If the victim calls that phone number, they will be connected to a call center agent who is a criminal co-conspirator. That agent, or scammer, in turn, attempts to trick the employee into handing over system credentials, user information, personally identifiable information, credit card account numbers or even direct funds transfers.

Neighbor Spoofing & Enterprise Spoofing

A scam robocall campaign targeting a specific population that includes a spoofed caller ID/Caller Name that resembles a source likely to be trusted by individuals in that group.

In addition to the above scenario, the vishing attacker might specifically modify the Caller ID to resemble the call recipient’s area code or business number prefix, increasing the likelihood that an employee would trust it and return the call to a presumed colleague (a tactic known as “neighbor spoofing”). In this case, the recorded message would impersonate an internal source, such as a member of technical support or human resources, and request a call-back about a supposed issue that needs immediate resolution. The adversary can also modify the Caller Name (CNAM) to reflect an organization or agency familiar with that company (known as “enterprise spoofing”) and deliver a message requesting immediate call-back due to an urgent matter with, for instance, a corporate account, tax matter or legal issue. In either case, the nefarious agent fielding the call-back would then follow a script designed to extract revealing personal information or login credentials. The goal of these attacks, at the very least, is to harvest private information that can then be used to perpetuate future fraud, but the ultimate prize is access to the organization’s internal networks and data repositories.

Direct Call Enhanced by Social Engineering

An attack on a targeted individual from a live caller impersonating a trusted source. The threat agent uses personal information about their victim to boost credibility, then applies psychological manipulation to trick them into divulging protected information.

Vishing calls can also be perpetrated by an individual targeting specific employees that they have identified as particularly valuable conduits to internal systems or data. In these cases, the adversary, posing as a trusted internal source (technical support, human resources, upper management), has already armed him/herself with information about the targeted employee harvested from public sources, social media accounts, or purchased on the Dark Web, in order to establish credibility. They are skilled at impersonation and psychological manipulation (known as “social engineering”). Customer service and contact center employees are a favored target of these scammers, due to their mandate to answer calls and “need to help” mindset. New employees are also at risk as they are less familiar with organizational norms and players, and may be more deferential to a perceived superior. Remote workers, too, are attractive targets due to their physical isolation both from officemates and the protective barriers of corporate office firewalls.

Response-Based Vishing

An email appearing to be from a trusted source and including a call-back number that connects the victim to a co-conspirator call center agent trained to extract protected information from their target.

While employees have learned not to click on unfamiliar links and many know not to respond to requests from unsolicited callers, they may feel safer if the link is a phone number, not a webpage, and they are making, rather than receiving, the phone call. Per above, that phone call connects them to a criminal agent skilled at social engineering manipulative techniques designed to extract information that could provide access to the organization’s internal systems.

Spear Vishing for VPN Access

Live call from criminal agent impersonating tech support. The caller tricks victims into logging into a fake VPN page in order to steal and use those login credentials for access to internal drives and networks.

At the height of the COVID-19 crisis and the sudden move to work-from home, vishing attackers found a new and lucrative attack tactic: targeting specific remote workers, particularly those new to the organization, in a scheme to gain VPN access to the organization’s networks. Armed with specific information about the employee, often gleaned from social media sites such as LinkedIn or Facebook, the attackers, usually posing as IT technical support, called and convinced their victims to log into a fake webpage designed to resemble a “new” VPN login page. Once the employee had logged in with their credentials, the attackers managing the fake page then stole those credentials, logged into the actual corporate VPN, and either downloaded as much internal data as possible or inserted network-destroying malware as part of a ransomware attack. The alarming growth of this form of “spear vishing” (vishing directed at a target individual) attack prompted this FBI warning alerting businesses of the potential threat. Nevertheless, this vishing scam continues today as remote work has become the new normal.

Voice Spam

The term voice spam is the blanket term that refers to any sort of unsolicited/unwanted phone calls. Under the Voice Spam umbrella comes many forms of unwanted calls, ranging from computer generated robocalls to potentially dangerous scam calls or phishing schemes trying to ascertain your private information.

Spoof Calls

Spoof Calling is when you receive a call from a phone number that looks similar to your area code and exchange (the first six digits of your phone number) or a caller ID displaying the name of a nearby town or local business. However, the person on the other end is neither a neighbor nor legitimate business caller. The caller is typically a spammer trying to lure you into a scam.

Smishing

Smishing is the fraudulent practice of sending text messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords or credit card numbers.

Robocalls

Appointment reminders, flight cancellations, and other informational calls are legitimate forms of robocalls. However, illegitimate players are leveraging Voice over Internet (VoIP) technology to generate thousands of robocalls to random numbers from an auto dialer. Their messaging, at best, is intended to elicit a purchase but, in growing numbers, is designed to lure the call recipient into a scam. Scammers often employ caller ID “spoofing” to disguise their identity, replacing their source ID with one showing a familiar area code or person (neighbor spoofing), or business name (enterprise spoofing) to entice recipients to answer.

voice

The most common, powerful, and immediate medium for human-to-human communication through audible spoken language.

voice channel

The communication delivery path dedicated to transmitting human voice communications between distant parties, primarily via phone connect.

VOICE NETWORK

The technology and infrastructure behind the voice channel used to digitalize and transport voice calls and related data across distances. The voice network includes wireless, landline, voice over internet protocol (VoIP) and voicemail.

Telephony

The application of voice network infrastructure and technology to include electronic transmissions not only of voice, but other forms of digitalized communications including fax, text messaging, and video conferencing, through a range of devices (wired phones, mobile phones, computers etc.). Early telephony referred to voice and data communications carried over a wired, public switched telephone network (PSTN). Today, the integration of phone system software and computer systems (Voice over Internet Protocol) has led to what is more commonly referred to as Internet Telephony and is the foundation of most modern enterprise IT environments.

Telemetry

The automated collection, transmission, and measurement of data from remote sources in order to monitor performance, primarily of network systems and servers. Telemetry devices use communication systems to transmit the data back to a central location for analysis. The analysis of telemetry data is used primarily to monitor security, application health, quality, and performance of network systems and servers.

SMS

Short Message Service (SMS) is a service that enables the sending and receiving of text-based messages between mobile devices or from a computer to a mobile device via the cellular network. SMS is a form of text messaging that is limited to text only. MMS (Multimedia Messaging Service) is an expansion of SMS capabilities to include the transmission of text, photos, video, and audio files between mobile devices through the cellular network.

SIP

Session Initiation Protocol (SIP) is a signaling protocol (set of rules) that enables the management of multi-media communications sessions (voice, video conferencing, and text chat/Instant Messaging) over the IP network. In the enterprise, SIP provides a direct connection between the organization’s IP Private Branch Exchange (PBX) and the public telephone network and is an essential component of a Unified Communications ecosystem.

SIEM

As a combination of Security Information Management (SIM) and Security Events Management (SEM), SIEM in the enterprise refers to an application that provides the ability to gather security data from information system components and present that data as actionable information via a single interface. A SIEM system can apply advanced user and entity behavior analytics (UEBA) through AI and machine learning to detect anomalous behaviors within the monitored systems that could indicate system vulnerabilities or an emerging threat before that activity can advance into business disruption.

EDR

Endpoint Detection and Response (EDR) is an endpoint security solution that continuously monitors end-user devices to define, detect, and report on anomalous behaviors consistent with potential cyber threats using AI, machine learning, and pattern recognition.

NDR

Network Detection and Response (NDR) refers to a security system that continuously monitors network activity, applying behavioral analytics to network traffic data in order to detect, and report, anomalous behavior in real time.

XDR

Extended Detection and Response (XDR) integrates SIEM, NDR, and EDR into a single platform. XDR refers to the continuous monitoring of all data inputs/endpoints as well as activity within enterprise networks for anomalous behaviors. These systems trigger actions when suspicious activity is detected and run cybersecurity incident response playbooks enabling effective threat mitigation. XDR is a proactive approach that allows security teams to identify hidden, highly-sophisticated threats based on correlating data from multiple sources in order to support early detection and effective defense.

MDR

Managed Detection and Response (MDR) services are third-party providers of network monitoring and security management, providing threat detection, incident response, continuous monitoring and analysis of IT assets.