We’ve all heard of phone scams such as Rachel at card services offering to help us out of a jam we didn’t even know we had. Scams such as this have become common in the workplace as well. These scams, called vishing or phone phishing, are a type of test we often perform for Raxis’ customers.You may be surprised to hear that often we achieve a high success rate with these phone phishing assessments. During one particular assessment, we called a large number of people throughout a company and told them we were contractors performing the annual credential check and asked the employees to please provide their email username and password. Often those credentials are used to login to their computers as well. Providing this information yielded more access than the targeted user was aware of. During this assessment, approximately one fourth of the people we called provided their credentials.

PREPARATION

This type of phishing is different from the email phishing attacks that most people are familiar with. First, a telephony-based phishing campaign requires additional preparation to sound convincing. We rehearse what we plan to say as well as how we will respond to questions, suspicion, and anger. We invent a story and background as part of a convincing pretext. It is said that the devil is in the details. A sense of legitimacy can be borrowed by peppering the conversations with specific information. Are we saying we work for the same company as the target? Then we'd better be able to say what office we work in. We're calling from IT? Who's our manager?Unlike email phishing campaigns, it is imperative to hook the target as soon as the call starts. Once the target hangs up, it's unlikely they will call back or take another call from our number unless they trusted us (though I once had a person call me back to check who answered the phone). For this we prepare a persona.

We need a name, possibly an accent, a department, a purpose for calling, and just enough back story that we never say “umm”.

When we call our target, we’re unlikely to provide most of these details, but we need to be in character. Our target is likely to start off suspicious and will only get more suspicious if we say we work at the IT Help Desk and then act like we’re a high level manager telling them what to do. I’ve also had targets question me on what building I work in as well as my manager’s name. If I have a number of people to call, I often make small talk to gather more information to use in my next calls. Every bit helps in establishing rapport and building trust.Another part of preparation is technical. While it’s illegal to spoof (imitate) a phone number maliciously, in phishing campaigns it’s all part of the test. We use services like SpoofCard to display the phone number of the company that we claim to be calling from to make the call seem even more real.

A SIMPLE, MULTI-TARGET VISHING CAMPAIGN

Many companies hire us to call a large number of people in various departments to see if they reveal private information. The goal is to get something simple like their username and password for the email system or the direct phone number for an employee who doesn’t have that listed publically. We often seek to check the effectiveness of their security awareness training by evaluating employees’ responses to the attack. As an employee, knowing that a company tests employees in this way can be a great incentive to exercise vigilance when handling unknown calls.In campaigns like this, I like to make myself a low level contractor. This job is so lowly that they don’t even make the lowest level employees do it! My goal is to establish rapport and then elicit a sense of empathy. Maybe you feel sorry for me. Maybe you realize that I get paid by results, so I will keep calling until you give me what I ask for. Most importantly, I have an excuse for not knowing answers to all your questions or not having a phone number that looks familiar.So back to my sad, lowly contractor. I make the call. I’m friendly. If they don’t believe me, I sound like I am used to hearing this and hate my job. I don’t tell them I’m a contractor; my goal is to get their credentials, but if they push back or ask me questions like “what building do you work in?, I “admit” that I’m just a contractor. I look for any opportunity to ask the best way to get a job there. I ask if my target likes working there. Are the managers nice?This allows me to keep the target engaged without knowing all the answers and makes people feel important because they possess information that the caller doesn’t have. If they refuse to answer, I’m polite and tell them that is no problem at all… but someone will have to come to their office in person, and it will take longer. Sometimes that threat of someone physically coming to see them is enough to change their mind.These types of campaigns can be conducted under a myriad of personas. Some people mumble a lot so that it’s easier to act like you know answers you may not know. Think of calls you’ve received from spammers that you believe are legitimate at first. Sometimes it’s hard to say no.

SPEAR PHISHING CAMPAIGNS