Stop vishing expeditions! Protect yourself from phone spear phishing aka voice phishing attacks

I am pretty sure you are well aware of what phishing is by now, but if not, here’s a quick review on what phishing is. Cybercriminals use social engineering techniques to trick you into divulging sensitive personal information like your home address or social security number or your user account username and password. Armed with this information, cybercriminals can then access additional personal and business work accounts in search of money, including cryptocurrency, or harvest additional user credentials that can be used for lateral movement to access other attached network nodes. Potentially, this can evolve into a full blown ransomware attack, which has become more commonplace and lucrative for cybercriminals. You’ve heard about ransomware and the potential financial implications that go along with it, right? If not, here’s a blog that should get you up to speed.

The most common phishing attack vectors are business or personal emails, email attachments, SMS and MMS messages, along with social media and collaboration app chats. A lesser known attack vector is vishing, which is short for voice phishing, and it was successfully used recently in the Twitter bitcoin scam that resulted in the account takeover of 45 high profile Twitter users. Surprisingly, the scam was perpetrated by teenaged hackers who were later apprehended, and not sophisticated nation-state cybercriminals or advanced persistent threat actors. They communicated with each other using online forums and Discord chat servers to plan out their attack.
 

Vishing Expedition

What is vishing? Also known as phone spear phishing, the attack uses the same social engineering techniques described above to grab personal or work information. However, it employs either a live person or recorded voice message, via a targeted phone call, as the attack vector. An email or text message usually accompanies the vishing expedition to make the phone call appear legitimate. With the onset of the pandemic and immediate paradigm shift to employees working from home, vishing has evolved into another go-to attack vector in the ever-evolving and morphing phishing exploits toolkit.

In the Twitter scam, the teenage cybercriminals impersonated IT staff members when they called several Twitter employees and directed them to a spoofed SSO login page that keylogged the employees’ usernames and passwords as they typed them into the fake page. Using the employees’ credentials, the cybercriminals were granted global administrative level access to an internal company tool, which enabled them to reset the passwords and two-factor authentication (2FA) configurations of the targeted high-profile Twitter user accounts. Then they sent out the bitcoin scam messages to unsuspecting victims from the influential users’ Twitter accounts. The result was over $110,000 stolen. The potential for more cryptocurrency being illegally transacted was there, but for an unknown reason, the cybercriminals never pulled the trigger.

How did the cybercriminals collect the information to pull this off? They used web scraping and other social engineering data collection tools on the LinkedIn website to harvest employee data and lay out the company’s organizational chart. Then they specifically targeted newer employees, who may not have yet been aware of company security procedures, as their victims.

How do cybercriminals get your phone number? The sad reality is your home address, telephone number, and other personal data are probably stored in multiple websites on the Internet. Also, your personal data is potentially on the dark web and up for sale. Well-publicized data breaches at Equifax, Marriott and CapitalOne, just to name a few of the most recent attacks, may have been the sources. Other reconnaissance techniques include war dialing or auto-dialing random telephone numbers from spoofed caller ID sources, including receiving calls from phishers that display your home area code to make the attack seem more realistic. If you pick up the call, then the cybercriminal knows that your phone number is active, with the potential for you to fall victim to future calls from the scammers pretending to be from the IRS at tax time, or from bill collectors if you are behind in payments to your creditors, as common examples.
 

Put on that floatation vest!

How can you protect yourself, your family and your employees if you are the company’s CISO?

To protect yourself and your family, register your phone number with the National Do Not Call Registry website at https://www.donotcall.gov/. Unfortunately, this does not enforce blocking of sales calls including robocalls. The service just informs legitimate telemarketers not to call your telephone number, although political calls, surveys, debt collections and informational calls are still permitted.

Mobile device screen - Allow Calls From Everyone, No one, Favorites, Groups: Contacts...AT&T and Verizon provide mobile security and call protect apps that can be downloaded onto your phone from the iOS and Google Play App stores that help block spam and fraudulent calls. Also, don’t answer calls from unfamiliar telephone numbers. If you do, don’t divulge any personal information. Afterward, you can block the unknown number within the recently received calls list, although phishers can easily spoof their telephone number and display a fake caller ID source on your phone the next time they call you. It then evolves into an endless game of whack-a-mole.

Additionally, you can enable the Do Not Disturb setting on your iPhone, which only allows calls from your All Contacts or Favorites list. On Android phones, you can configure your Phone app settings and block unknown numbers and filter spam calls. Don’t share your call logs or contacts list with any other apps except your Phone app!

To protect your employees at the enterprise level, I am not aware of any automated solutions that exist to directly prevent vishing attacks. Only a handful of companies currently exist that can respond and help mitigate vishing attacks after it occurs. Mandate employee education on responding and mitigating the various phishing attack vectors including vishing awareness.

And lastly, deploy MobileIron unified endpoint management (UEM) and MobileIron threat defense (MTD) to provide multiple layers of protection from phishing vectors that come from emails, email attachments, text messages, and chat messages. If the phisher redirects you to a fake login page, MTD will block access to the malicious website and not allow you to bypass the blocking page. If the cybercriminal is successful with a phishing attack, any malware and exploit kits that are installed on your phone will be detected by MTD. If the exploit kit escapes the app sandbox and evolves into a privilege escalation to the full device level, MTD will detect this exploit, including various iOS jailbreak or Android rooting techniques. If the exploit evades detection at the app and device levels, and then moves laterally to other connected network nodes, or calls home via a command-and-control (C2) connection, MTD will also detect these threats.
 

James Saturnio

James Saturnio

Senior Lead Technical Market Adviser at MobileIron

About the author

James Saturnio is a Senior Lead Technical Market Adviser at MobileIron. He immerses himself in all things cybersecurity and has over 25 years’ experience in this field. He has been with MobileIron for over 6 years, and previously worked at Cisco Systems for 19 years. While at Cisco, he worked as a TAC Engineer, and then as a Technical Leader for the Security Technology and Internet of Things (IoT) business units. He was the main architect for the IoT security framework that is still being used today by Cisco’s IoT customers.