An Introduction to Voice Phishing (Vishing): The Dark Side of Telecommunications

A Growing Threat in the Digital Age

Imagine this situation: you receive a phone call from your bank, seemingly official, alerting you to suspicious activity on your account. The person on the other end of the line sounds pleasant and requests your credit card information and password to secure your account. They claim they will reverse the alleged fraudulent transactions. In a state of panic, you comply. Little do you know, the original transactions were fabricated, and now real unauthorised ones have taken place. The friendly bank representative was an imposter, and you've fallen victim to a technique known as 'vishing'.

Phishing vs. Vishing: The Key Differences

Vishing, or voice phishing, is a scam where individuals are deceived through phone calls or voicemail messages into revealing sensitive information like account numbers or passwords. Unlike phishing attacks that occur through email or deceptive websites, vishing exploits telephone communications. These attacks can be sophisticated, often appearing to come from trusted sources like banks or government agencies.

How Does It Work from the Attacker's Perspective?

Attackers generally employ two strategies. The first is a mass-scale approach, where the attacker gains access to a large volume of stolen data. This data can be sourced from various platforms including:

• Telegram servers
• Online forums
• Unsecured databases

This tactic is common in large-scale campaigns, with the attacker essentially playing a numbers game. The goal is to cast a wide net, hoping to ensnare as many victims as possible. Even if a small percentage of targets fall for the scam, the returns can be substantial due to the sheer volume of attempts. This method relies heavily on the law of averages, where the more attempts made, the higher the likelihood of success.

The second strategy is a targeted approach. Here, the attacker meticulously builds a profile of a potential victim using various sources of information. These sources can include:

• Leaked database compilations
• Social media timelines
• Email addresses and usernames

The sophistication of this approach lies in the ingenious ways attackers gather information. If they can't extract anything from your online presence, they can manipulate seemingly innocent information to personalise their attack. For instance, if you innocently announce that you're expecting an Amazon package, attackers can exploit this information. They might contact you about a fabricated delivery issue related to your order. The personalisation of the scam makes it more convincing. The premise, based on a real situation – your Amazon order – imbues the scam with an air of authenticity, which might make you more likely to trust the caller.

Vishing Attack Examples

1. Government Representative: The caller impersonates a government representative and contacts individuals, claiming to verify personal identification details. They may threaten to suspend tax refunds or social security payments unless the victim provides the requested information.
2. Tech Support Fraud: Scammers pose as tech support agents from well-known companies like Microsoft or Amazon. They inform the victim of unusual account activity and request personal information or ask the victim to install a software update that is actually malware.
3. Bank Impersonation: Using spoofed phone numbers and caller IDs, cyber criminals pretend to be calling from the victim's bank. They claim there has been suspicious activity on the account and ask for confirmation of personal details, which are then used for identity theft.
4. Telemarketing Attack: Scammers exploit the desire to win free prizes by calling victims and requesting confidential information under the pretense of processing the prize. This information is then used for fraudulent purposes.

Vishing in the Real World: Case Studies

1. FakeCalls - A Deceptive Vishing Campaign: In May 2023, a vishing campaign named 'FakeCalls' emerged, targeting victims by posing as legitimate financial institutions. The scammers utilised advanced evasion methods to avoid detection and created a sense of authenticity through well-executed voiceovers. The associated malware intercepted live audio and video streams, which were then transmitted to the hackers' command-and-control servers for further malicious activities.
2. August 2022 Cisco Hack - Voice Phishing Breach: In August 2022, Cisco Systems Inc experienced a significant security breach through a voice phishing attack. The threat actors, known as Yanluowang, gained unauthorised access to Cisco's corporate network by exploiting an employee's personal Google account. Through sophisticated voice phishing techniques, the attackers manipulated the employee into accepting multi-factor authentication (MFA) push notifications, granting them entry into the company's VPN. Once inside, they spread laterally to Citrix servers and domain controllers, obtaining privileged access. The attackers installed backdoors and attempted to maintain persistence even after being detected and evicted from the environment.

Protecting Yourself Against Vishing

In order to protect yourself against vishing, here are a few things that you can do:

1. Be selective about personal information shared online: Avoid sharing unnecessary personal information on social media or other online platforms to minimise potential exposure to fraudsters.
2. Don’t respond to unexpected calls: If you receive a call from an unfamiliar number or an unexpected call from a known entity, it's safer not to answer.
3. Maintain a proactive cybersecurity mindset: Regularly update your understanding of the latest threats, and don't hesitate to verify the identity of callers, even if they seem legitimate.

Additionally, you can try out our Vishing Simulator . Keepnet Vishing Simulator helps you to assess your security culture with AI-powered 200+ ready to test vishing simulations in 160+ languages, and train your employees to recognise and respond to these attacks.