Vishing - The Rise of Social Engineering
Vishing (voice phishing) is gaining in popularity as an attack vector. Attackers spy out internal company information, act as IT staff and instruct employees to execute programs or commit CEO fraud.
IT-Seal conducts vishing attacks as part of social engineerings simulations. A phone call recording shows the fraudsters' tricks.
A telephone recording: Only the employee's name, telephone number and e-mail address are given. These can often be obtained via the company's online presence or by calling the head office.
Employee: *answering the phone* "Smith."
Attacker: "Hello Mr. Smith, this is Raymond from IT."
Attacker: "Last week I sent you an e-mail about a network update. I'm going through a list of people who haven't responded yet and you're one of them."
Employee: "Oh, really? What was that about? I don't know exactly what you're referring to right now.
Attacker: "In the future, we want to try to install updates via a plug-in for the remote desktop so that we don't have to show up at your place all the time. The e-mail contained a link to the internal server to check whether this already works for you or whether we actually have to go back to your place in person."
Employee: "Ok, that's strange... I didn't see any e-mail, but wait a minute, I'll look it up again."
Attacker: "Thank you, but don't stress yourself. Some people just haven't got the time yet, others apparently didn't receive the e-mail."
Employee: "Sorry, I didn't receive any e-mail. What did you say again when you sent it?"
Attacker: "The e-mails should have gone out on Wednesday or Thursday last week. It's not a problem though. If you are at your PC right now, I'll just send you the e-mail again and we'll do it right here on the phone, if you have two minutes. I'm just sending you the link to our server again, has anything arrived yet?"
In advance, an e-mail was prepared with a fake sender and a link address to a page with a so-called "drive by download", i.e. a file is downloaded directly when the page is visited. Both the sender's address and the link have been changed to mimic the company's identity. Example: At first glance, the link www.it-seal.de-safe.de/update/datei.exe looks as if it leads to the IT-Seal page.
Employee: "Let's see... I think I got it. What should I do now?"
Attacker: "Just click on the link. It should automatically forward you to the plug-in on the internal server."
Employees: "It says that this is not a verified source?!"
Attacker: "Exactly, it's supposed to do so because we access network settings when we check whether a remote installation is possible. The message is there to prevent you from simply clicking on somethings that's potentially dangerous."
Employee: "If you say so... *laughs* So now 'he' is telling me to either save or run."
Attacker: "Please execute the file. The whole process should work automatically. Afterwards, a windows should open with some messages - the important thing is whether an OK is always displayed at the end or not. Otherwise, we might have to come by in person..."
Employee: "I'm seeing the windows, and it says OK twice..."
At this point, the employee executed the file and the penetration test was successful. The attacker even has a confirmation that the file has been successfully installed. In order not to arouse suspicion, the conversation is ended in a friendly manner. In the worst case, the employee did not notice that he just installed a Trojan or similar.
How could this happen? The fraudsters' psychological tricks:
Ideally, the outgoing telephone number is changed before the call so that it looks like a number from the company itself, similar to the e-mail sender and the link to the "internal server" later on. Today, this is possible even for technical laymen.
Right at the beginning of the conversation, the employee is accused of not having complied with a request - pressure and guilt are created. The conversation is spiced with a little technical jargon, such that Mr. Smith feels puzzled and is distracted from finding out exactly who is actually calling. In large companies in particular, "IT" is often a group of people that stays among themselves and it is not uncommon for the caller not to appear immediately familiar to the employee. In small companies, attackers tend to take the role of the trainee, who has only recently joined the company. The first accusation is directly relativized - "You're not the only one who hasn't answered yet". The caller offers a quick solution: "If you're on a PC right now, we'll do it together on the phone."
The last step is to send a link to the drive-by download by e-mail. Questions about verification or other security concerns are often dealt with using "that's no problem" (even bolder: "that's how it's supposed to be") or other excuses.
In vishing tests, IT-Seal achieves a "success" rate of about 34% - awareness training is essential.
In it's social engineering simulation, IT-Seal does of course not work with malicious software. The fact that the employee executes a file on the PC, however, is sufficient to install a keylogger for spying out passwords or a Trojan that takes over the whole system. At the client's request, IT-Seal informs the employee after the call that this was a vishing test and how they could have reacted better.