An email campaign asking victims to call a bogus number to suspend supposedly fraudulent subscriptions got right past Microsoft’s native email controls.

A pair of billing and tech support “vishing” attacks using Geek Squad and Norton Antivirus as cover managed to hit 25,000 mailboxes recently, questing after victims’ credit-card details.

Vishing (a contraction of “voice phishing”) generally involves stealing personal information from victims over the phone or leaving fraudulent voice messages. In this case, researchers said the gambit consisted of sending fake order receipts via email, and then including phone numbers to call “for processing order returns.”

According to researchers at Armorblox, the emails bypassed native Microsoft email security controls along with email security engines like Exchange Online Protection (EOP) and Proofpoint, landing in tens of thousands of corporate inboxes.

“Microsoft assigned a spam confidence level (SCL) of ‘-1’ to both emails,” explained researcher Abhishek Iyer, writing in a Thursday posting. “This means the emails skipped spam filtering because Microsoft determined they were from a safe sender to a safe recipient or were from an email source server on the ‘IP Allow’ list.”

Geek Squad…to the Rescue?

The Geek Squad vishing email. Click to enlarge. Source: Armorblox.

The attackers used the same look and feel from a branding perspective as the real Geek Squad, Iyer said, and the email body language “carefully [tread] the line between vagueness and urgency-inducing specificity.”

The emails likely avoided suspicion because the messages didn’t include any random links – usually the hallmark used for spotting malicious emails or scams.

Instead, the only call to action in the email was a phone number that would supposedly connect the recipient to the “billing department” in order to process order returns, the researcher explained. The method enabled the emails to bypass standard threat-detection controls.

“Including phone numbers as the payload is effective because a phone number is not an IOC that the security community tracks in a structured, shareable manner right now (and might never be, due to the fungibility of phone numbers, random numbers generated through Google Voice, etc.),” Iyer said.

Irony Alert: Norton Vishing Attack

The Norton attack was less frilly, according to Armorblox, with the body being sent in plain text, stripped of any HTML stylings or Norton branding.

Otherwise, the emails used the same approach as in the Geek Squad campaign, being also sent from a Gmail account and with the same “Order Confirmation” subject line, according to the researcher. And, once again, there were no links or conventional payloads in the body of the email, just a phone number to use to “cancel a subscription.”

The emails did exhibit one notable detection-evasion trick, Iyer explained.

“Near the top of the email, notice the ‘N0RT0N PR0TECTI0N’ with zeros instead of the letter O. This is a simple but effective technique used by attackers to slip past any deterministic filters or blocklists that check for brand names being impersonated,” he said.

Nobody Home

In both cases, the Armorblox research team called the number provided, from a disposable Google Voice endpoint, only to find that the scam numbers had been deactivated.

“The technique here matters as much as (if not more than) the outcome,” Iyer said. “If the number here was taken down, it’s very easy for the attackers to stand up another number and repeat the attack flow, because they know the email is getting past traditional email-security controls.”

He added that one social-engineering aspect that leads to success for this type of campaign is the context of the attacks. They “replicate workflows that already exist in our daily lives (ordering subscriptions and services online),” he explained. “When we see emails we’ve already seen before, our brains tend to employ System 1 thinking and take quick action.”

How to Avoid Becoming a Vishing Victim

Vishing is certainly not new – last year for example, a similar campaign made the rounds with emails purporting to communicate about an Amazon delivery order. They included a phone number for the “Fraud Protection Team” to call in case the order was bogus.

“Vishing was used last year as part of the Twitter hack, where two eighteen-year-olds gained the confidence of two Twitter employees and got access to their systems to post fake tweets from various celebrities and convinced 120 people to give up $1,000 of bitcoin to receive $2,000,” said James McQuiggan, security awareness advocate at KnowBe4. “In this instance, it is apparent that it is a two-prong attack — the first being phishing and the second being vishing. Phishing is not always about clicking a link or opening an attachment, but getting the victim to take an action they might not otherwise take. The email appears believable, and they provide a phone number which continues the confidence or social engineering scam against the victim.”

However, vishing isn’t as well-known as phishing, nor as common. To protect oneself from these types of scams, organizations should not only augment native email security with additional controls, but also layer on additional employee training, especially when it comes to engaging with familiar-seeming emails in a rational and methodical manner.

“Subject the email to an eye test that includes inspecting the sender name, sender email address, language within the email and any logical inconsistencies within the email (e.g. Why is Geek Squad sending an email to my work account, why are none of the CTA buttons in the email working, etc.),” Iyer suggested.

If convinced the email may be legitimate, simply be suspicious when calling the number, and never give up credit-card details or other sensitive information over the phone, he added. It’s worth carrying out a second-channel effort and searching for a publicly available customer-service or billing number for the company in question.

“Users must educate themselves and remain aware of the latest scam emails and trust but verify when it comes to billing or information requests,” McQuiggan said. “Users should understand that they need to confirm information through the actual website and avoid utilizing the information within an email when prompted with an email.”