What is Vishing?

BACKGROUND: In the beginning, there was Phishing

By now, it’s hard to find someone who hasn’t heard of phishing, a common tactic used by cybercriminals to lure human targets into a scam through fraudulent emails with virulent links. One click and the victim finds him or herself on a scam site designed to steal their money or personal information. Worse yet, that click could also unleash a malware download designed to hijack the victim’s computer, copy their data, and then deliver the same poisonous virus to their contacts and connected networks. If perpetrated on an employee with access to internal company systems, the consequences could be devastating. 

That is why most enterprise email applications are now built with powerful spam-detection capabilities that recognize and block emails with suspicious links before they ever reach the employee. Problem solved, right?

Sadly, no. Because when one avenue for their nefarious activity is thwarted, these criminal adversaries simply find another route, and increasingly, that is through the everyday phone call.

The modernization of the phone call is a good thing, right?

Of course, there is nothing new about threat actors using the phone to perpetrate fraud. What’s changed, however, is the technology behind those calls. On the positive side, the transition from wired analog calling to Voice over Internet Protocol (VoIP) combined with multi-media Sessions Initiation Protocol (SIP) has been a boon to business. These changes have enabled high quality, low cost, global voice communications, as well as the integration of voice into unified communications platforms. On the downside, it has super-charged the ability of sophisticated criminal agents, using auto-dialers, pre-recorded messages, caller ID spoofing, generous VoIP bandwidth and cheap, untraceable overseas call centers, to reach thousands of intended victims with little effort, expenditure, or risk.

And thus, phishing (a term alluding to fishing, or casting lures into a pool in hopes of snagging a valuable catch) has a new variant with its own unique term: Voice Phishing or, more simply, Vishing.

Vishing is a Growing Business

Vishing Attacks have become a particularly favored, effective technique perpetrated by cybercriminals and saboteurs on the enterprise for several reasons:

• The telephone call is a powerful and convincing way to manipulate other humans.
• Through the telephone, cybercriminals have 24 x 7 x 365 access to connect directly with employees.
• It only takes one successful connect in a mass calling campaign to perpetrate a massive hack.
• Threat agents, especially when operating overseas, take cover in the anonymity of VoIP calling.
• Most organizations have no protections in place for their voice network. 

What Motivates a Visher (Voice Phisher)?

As with other forms of cybercrime, financial reward is the prime driver behind most vishing attacks, whether thieving money through fraudulent fund transfers, stealing personal information for identity theft, or accessing company data for resale on the Dark Web. Cybercriminals seek opportunity in chaos and social upheaval as evidenced by the 550% increase in vishing incidences between 2021 and 2022 following the sudden shift to work from home. This dramatic reconfiguration of the workplace opened a new set of opportunities for cybercriminals who were already redirecting their efforts away from average citizen targets to focus on the far more lucrative prize at the end of an enterprise hack. The chance to gain access to a treasure-trove of corporate data or launch an extortion scheme through the relatively unprotected voice network proved to be a powerful draw.

But money is not the only motivator. Authorities have recently identified a vishing gang, known as Lapsus$, formed primarily of techy teenagers working together to hack and steal data and intellectual property from large organizations. While their hacks are often accompanied by extortion demands, the group openly brags about its accomplishments on social media, posting screen grabs as proof and then leaking parts of their stolen data to the press. Lapus$ has been suspected in the recent hacks on Uber and Cisco and credited for several large technology company hacks over the past year including Nvidia, Samsung, Microsoft and Vodafone. While dealing with the financial damages of these attacks, their victims must also deal with the brand damage that results from a public outing of a security breach. In other words, organizations that think they might be able to quietly cover up a data breach are facing the reality, and potential punitive damages, of a new kind of adversary who prefers to publicize, rather than hide, their participation in criminal activity.

The profile of a visher has now moved from that of a lone criminal to an organized network of criminal enterprises, even offering recruitment and training through illicit sites on the Dark Web. This makes it far easier for wannabe hackers to find a place in the underworld of cybercrime where they see a route to easy money at little personal risk.

Why Large Organizations are the Favored Vishing Attack Target

As the number and aggressive nature of vishing attacks have expanded, so, too, has the size of the visher’s targets. After all, why waste time and effort stealing personal or financial information from an individual when a single hack could net thousands of valuable records from an organization’s databases?

Based on the statistics, cybercriminals are clearly finding vishing to be a surprisingly effective avenue into corporate networks because humans, when connected through the telephone, are proving to be far easier to crack than most network firewalls. In fact, this recent study showed that more than 37% of vishing attempts actually succeed at extracting the desired action from unsuspecting human targets. When combined with a phishing email (hybrid phishing/vishing), the success rate rose to 75%.

What’s more, vishing scams seem to fly under the radar of enterprise security. Unlike email, a voice call cannot be reviewed before the connection is made. Unless recorded, the information in that nefarious call is lost once the caller hangs up. Fake VPN or other malevolent websites used in hybrid attacks disappear once credentials are stolen. And employees may be reluctant to report being duped by a vishing scammer, especially if their actions might have resulted in damages to the organization.

Until organizations begin to put the same effort into protection of the voice networks and endpoints as they do their data networks, vishing attacks will continue to grow, posing a real threat to corporate assets, operations and their people.

Fallout from a Successful Vishing Attack

Vishing attacks that result in a data breach are a clear threat to organizations world-wide. Following are a few statistics for consideration:

• The average cost to recover from a data breach is nearly $4.5 million.
• On average, companies require 277 days to identify and fully contain a data breach.
• 45% of companies have already been breached.
• Nearly 50% of companies have experienced a vishing attack in the past year.
• Full financial impact is hard to determine and may accumulate over years as additional fraud perpetrated from stolen data, as well as potential for regulatory fines, continue to emerge.

DEFINITIONS: The Many Faces of Enterprise Vishing

The common element of all vishing scams and schemes is the use of a phone call to connect with and defraud the intended human victim(s). However, the variations in approach are many and continuously evolving, particularly when high-value businesses are the target.

To better illustrate the changing nature of the vishing threat to the enterprise, following are a few of the more common attack methods:

1) Autodial Robocall (Wardialing)

Recorded voice message with an urgent or threatening tone demanding an immediate call-back and delivered to a large pool of recipients via computer-generated autodial calling.

In this basic, automated approach, the adversary, using a spoofed (digitally altered) Caller ID, delivers an urgent pre-recorded message via auto-dialer to specific regions or sequential numbers within the organization’s exchange range (also sometimes referred to as “wardialing”). The message appears to be from a trusted source such as a bank or government agency, and includes a call-back phone number. If the victim calls that phone number, they will be connected to a call center agent who is a criminal co-conspirator. That agent, or scammer, in turn, attempts to trick the employee into handing over system credentials, user information, personally identifiable information, credit card account numbers or even direct funds transfers.

2) Neighbor Spoofing & Enterprise Spoofing

A scam robocall campaign targeting a specific population that includes a spoofed caller ID/Caller Name that resembles a source likely to be trusted by individuals in that group.

In addition to the above scenario, the vishing attacker might specifically modify the Caller ID to resemble the call recipient’s area code or business number prefix, increasing the likelihood that an employee would trust it and return the call to a presumed colleague (a tactic known as “neighbor spoofing”). In this case, the recorded message would impersonate an internal source, such as a member of technical support or human resources, and request a call-back about a supposed issue that needs immediate resolution. The adversary can also modify the Caller Name (CNAM) to reflect an organization or agency familiar with that company (known as “enterprise spoofing”) and deliver a message requesting immediate call-back due to an urgent matter with, for instance, a corporate account, tax matter or legal issue. In either case, the nefarious agent fielding the call-back would then follow a script designed to extract revealing personal information or login credentials. The goal of these attacks, at the very least, is to harvest private information that can then be used to perpetuate future fraud, but the ultimate prize is access to the organization’s internal networks and data repositories.

3) Direct Call Enhanced by Social Engineering

An attack on a targeted individual from a live caller impersonating a trusted source. The threat agent uses personal information about their victim to boost credibility, then applies psychological manipulation to trick them into divulging protected information.

Vishing calls can also be perpetrated by an individual targeting specific employees that they have identified as particularly valuable conduits to internal systems or data. In these cases, the adversary, posing as a trusted internal source (technical support, human resources, upper management), has already armed him/herself with information about the targeted employee harvested from public sources, social media accounts, or purchased on the Dark Web, in order to establish credibility. They are skilled at impersonation and psychological manipulation (known as “social engineering”). Customer service and contact center employees are a favored target of these scammers, due to their mandate to answer calls and “need to help” mindset. New employees are also at risk as they are less familiar with organizational norms and players, and may be more deferential to a perceived superior. Remote workers, too, are attractive targets due to their physical isolation both from officemates and the protective barriers of corporate office firewalls. 

4) Response-Based Vishing

An email appearing to be from a trusted source and including a call-back number that connects the victim to a co-conspirator call center agent trained to extract protected information from their target.

While employees have learned not to click on unfamiliar links and many know not to respond to requests from unsolicited callers, they may feel safer if the link is a phone number, not a webpage, and they are making, rather than receiving, the phone call. Per above, that phone call connects them to a criminal agent skilled at social engineering manipulative techniques designed to extract information that could provide access to the organization’s internal systems.  

5) Hybrid Phishing/Vishing

Tandem approach using email and related live phone call with the same message so victims are more likely to trust its legitimacy and level of urgency.

Similar to the above scenario, in this case the adversary, often working with a teammate, delivers an email to targeted employees with enough personal information to lend it credibility and then follows that with an immediate phone call delivering the same message. An employee may be suspicious of one approach or the other, but when in combination, it provides a greater sense of legitimacy and urgency. Again, if a voice connection is made, the skilled criminal visher uses social engineering techniques to coerce the employee into divulging sensitive information or providing access to internal systems and data.

6) Spear Vishing for VPN Access

Live call from criminal agent impersonating tech support. The caller tricks victims into logging into a fake VPN page in order to steal and use those login credentials for access to internal drives and networks.

At the height of the COVID-19 crisis and the sudden move to work-from home, vishing attackers found a new and lucrative attack tactic: targeting specific remote workers, particularly those new to the organization, in a scheme to gain VPN access to the organization’s networks. Armed with specific information about the employee, often gleaned from social media sites such as LinkedIn or Facebook, the attackers, usually posing as IT technical support, called and convinced their victims to log into a fake webpage designed to resemble a “new” VPN login page. Once the employee had logged in with their credentials, the attackers managing the fake page then stole those credentials, logged into the actual corporate VPN, and either downloaded as much internal data as possible or inserted network-destroying malware as part of a ransomware attack. The alarming growth of this form of “spear vishing” (vishing directed at a target individual) attack prompted this FBI warning alerting businesses of the potential threat. Nevertheless, this vishing scam continues today as remote work has become the new normal. 

HIGH PROFILE VISHING ATTACKS

Following are just a handful of examples of recent high-profile attacks perpetrated by vishers that have made it to the press.

Robinhood (Financial Services)

Company Profile
$9,82 billion, online stock trading platform with 21 million customers

Hack Details
Vishing attacker targeted a customer service support staffer with a phone call impersonating an internal authorized party (leveraging social engineering and vishing) in order to obtain credentials and access to internal systems. The breach compromised the personal information of 1/3 of Robinhood’s customer base.

Hackers also made a ransom demand though it is unreported whether that was paid.

Impact

• This company was already facing the fallout from a 2020 hack with 40,000 customers reporting accounts breached. That event resulted in a $20 million class action lawsuit citing “Failure to implement adequate and reasonable cyber-security procedures and protocols necessary to protect PII.”
• Damage estimates from latest breach are still forthcoming, but based on financial fallout from previous class action suit, they could be substantial.
• Reputation damage
• Customer loss

Twitter (Social Media)

Company Profile:
$41 Billion international microblogging and social media network with 450 million monthly active users.

Hack Details
A socially-engineered vishing call from a 17-year-old hacker and two colleagues posing as customer support led to a targeted employee disclosing credentials that gave the hackers access to Twitter internal systems.

The hackers gained control of 130 accounts, tweeting from 45, accessing the DM inbox of 36, and downloading the stored Twitter data for 7 customers.

Once they gained access to the customer accounts, the attackers hijacked some of the most prominent (Barack Obama, Joe Biden, Elon Musk, Jeff Bezos, Bill Gates, Warren Buffett and others) to send out fake tweets under their names in order to advance a bitcoin scheme.

Impact

• This event wiped out $1.3 billion in Twitter market value in a single day.
• FTC (Federal Trade Commission) is threatening $250 Million in fines as result of the hack.
• Twitter estimates the range of probable loss to be between $150 million and $250 million.
• Twitter Statement: “It may also result in damage to our reputation, loss of accounts, loss of content or platform partners, loss of advertisers or advertising revenue or legal and financial exposure, including legal claims, regulatory inquiries or other proceedings. Any of these effects could have a material and adverse impact on our business, reputation and operating results.”

Cisco (Technology)

Company Profile
$184 billion, multinational digital communications technology conglomerate.

Hack Details
This attack appears to be the work of an Initial Access Broker (criminal “specialist” working for a hacking organization whose role is providing access to an organization’s networks for known cybercrime groups/ransomware operators).

This agent targeted specific employees identified as high access prospects by calling them multiple times and using social engineering techniques (using personal information harvested from social accounts and the Dark Web combined with psychological manipulation) to convincingly imitate a trusted source. The adversary was able to extract information from one of those targets allowing access to their Google account. 

Once access to the employee’s Google account was established, others in the criminal team were mobilized, delving into the account to locate internal passwords to the victim’s business accounts that had been synchronized across the web.

The broker was able to overcome the victim’s multi-factor authentication by using a technique known as “MFA fatigue” – continuously pushing requests for multi-factor authentication while they were still engaged in solving the “problem” until the victim eventually approved access.

The co-conspirator attackers then gained access to VPN and internal files, allegedly scraping 2.8 GB of data, part of which they released for proof (note reference to the publicity-seeking Lapus$ gang under “What Motivates a Visher” section).

There is no public record of the financial impact of this incident, though it is fair to presume:

• high cost of mitigation efforts
• negative impact on public trust
• damages of stolen customer/corporate data on the Dark Web – yet to be determined.

Intuit (Technology)

Company Profile
$119 billion, U.S. based business software company that specializes in financial software for 100 million customers.

Hack Details
This is an ongoing scheme involving threat actors posing as representatives for Intuit’s popular accounting software package, QuickBooks, and targeting Google Workspace and Microsoft 365 small business users in a voice-phishing scam.

The campaign involves a false invoice sent via email using the company’s branding (a technique known as “brand impersonation”) and containing a claim that a credit card has already been charged for an order. In order to dispute the charge, victims are directed to call the number included in the email (see section on response-based vishing). Once that call is made, the victims are connected to a criminal call center agent who tricks them into divulging valuable information including credit card numbers, account login credentials, or other personally identifiable information.  The scam was first uncovered in December 2021 and the frequency of attacks has accelerated sharply according to researchers with INKY.

The security firm reports that this form of vishing is on the rise, with 350,000 vishing emails sent between March and June 2022; nearly 100,000 of these spotted in June 2022 alone.

Impact

• Costs related to tracking/mitigating invoice scam attempts
• Negative impact on brand

Twilio (Technology)

Company Profile

$7.8 billion B2B Provider of programmable communication tools for making and receiving phone calls, sending and receiving text messages, and performing other communication functions through web service APIs.

Hack Details

In mid-July 2022, malicious hackers sent smishing messages (phishing through SMS text) to the mobile phones of hundreds of Twilio employees. The threat actors had the actual employee names associated with their mobile phone numbers which lent credibility to their outreach. Posing as Twilio IT, the adversaries urged their victims to click on what appeared to be password-reset and other links. The links led to fake Okta login pages for Twilio. Some Twilio employees entered their credentials on these fake pages. The attackers then used those credentials to access internal Twilio administrative tools and customer information.

Twilio’s internal investigation revealed that the same threat actors were likely responsible for an earlier security breach, this time perpetrated through a vishing (voice phishing) attack. Using social engineering techniques, the adversaries were able to con two Twilio employees into providing login credentials which provided access to customer contact information.

That incident was not considered particularly damaging by the organization at the time as it was quickly contained and exposed a limited amount of data. However, it is now clear the information gained through the prior hack could have potentially been used to lend legitimacy to the hacker’s subsequent deceptions.

Impact

• 209 customers and 93 end users had accounts compromised by these incidences.
• Negative impact on brand
• Potential loss of customer trust
• Business disruption through suspended accounts and mitigation efforts
• Ongoing threat of future attacks based on prior data breaches

The Old School Approach to Protecting the Enterprise from Vishing Attacks

A quick “Stop Vishing” Google search provides numerous articles carrying advice on how to protect individuals against vishing attacks. While promoting common-sense practices (for instance, don’t comply with phone requests for login credentials or other PII, be cautions responding to calls that carry a tone of urgency etc.), the suggestions contained in these pieces fall far short of delivering any meaningful defense when adversaries have proven so adept at seeking and manipulating vulnerable human targets.

Take, for instance, the following suggestions from online experts:

From Norton Security:

“Join the National Do Not Call Registry. Adding your home or mobile phone number to this registry is free and tells telemarketers you don’t want their phone calls. However, certain types of organizations may still call you, such as charities and political groups, and it won’t stop people from illegally calling your number.”

The problem with this advice is voice phishers pay no attention to Do Not Call lists. They are criminals, after all, and not likely to be deterred by threat of fines when the risk of getting caught is low and the financial reward at the end of a successful attack is so high. The rising tide of spoofed robocalls, spam calls and vishing attacks has rendered the Do Not Call Registry obsolete. Even this piece of “advice” admit it does not stop criminal callers.

 “Don’t pick up the phone. Although it may be tempting to answer every phone call, simply let them go to voicemail. Caller IDs can be faked, which means you might not know who’s calling. Listen to your messages and decide whether to call the person back.”

This may be a fine practice for individuals on their personal phones, but it is bad advice for business calls as the person on the other end may be a customer, prospect, patient or partner with an urgent need. Businesses that advise employees to ignore phone calls from unknown callers will surely not be around for long.

From Mimecast:

“Verify unexpected phone requests in ways that aren’t connected to the incoming phone call. For example, use an official directory and another phone to call the company’s main office and ask to speak with the caller who is making the request.”

This is a convoluted response and an unlikely practice for handling enterprise calls when a business issue is at stake. Voice phishers are skilled impostors armed with enough knowledge about their target and the organization to avoid suspicion, and enough skill at psychological manipulation to extract what they need from vulnerable human targets.

From Infoguard:

“Keep your employees trained about cyberattacks. Always stay updated and keep knowledge of new techniques and cyber threats.”

Employee training is always helpful, but how can it be achieved organization-wide 24/7, 365 days a year, when attack tactics are constantly changing? As quickly as organizations become aware of new threat tactics and integrate that knowledge into employee communications, threat actors are already devising new ways to reach their targets. While companies may continuously strive to hone their threat intel capabilities, the weak link – human contact – remains a constant draw for cybercriminals.

A Breakthough Approach To Protecting The Enterprise From Vishing Attacks

Even as awareness of the threat posed by vishing is emerging, mitigation efforts that rely on modifying human behavior are clearly failing. In fact, vishing attacks have accelerated at an alarming pace, with some of the nation’s largest and presumably most tech security-savvy organizations (Twitter, Robinhood, Cisco, Twillio, GoDaddy to name just a few) falling victim.

So what’s the solution? There’s only one that makes sense. Keep vishers from reaching their human targets in the first place.

That may sound simplistic but is only possible through sophisticated new voice traffic filtering technology that is designed to detect and deflect both nuisance and nefarious calls, including robocalls, spammers, scammers and vishers, at the network edge.

While there are a number of applications on the market designed to block robocalls, no other platform comes close the Mutare Voice Traffic Filter’s breadth of nuisance AND nefarious voice traffic detection and filtering capabilities. Its five distinct filtering layers, built on a combination of best-in-class dynamic databases, organization-specific rules, pattern recognition, machine learning, and proprietary AI technology, form a virtual firewall of protection for every endpoint in the organization. The Mutare Voice Traffic Filter is both powerful enough and, at the same time, sensitive enough, to detect and deflect nuisance and nefarious voice calls in all of their various and evolving forms, assuring that only the important calls ring through.

For more information or to request a demonstration, contact us Here.