Hybrid Phishing/Vishing Attacks Imitate Business Workflows
A new report shines a light on the malicious practice known as voice phishing or vishing – a social engineering tactic that some cyber experts say has only grown in prominence since COVID-19 forced employees to work from home.
And in some instances the technique is being used to supplement email-based phishing attempts.
“Vishing is one of the attacks that we’ve seen a huge surge in since lockdown,” in part due to the increase in conversations that happen over the phone or over Zoom, said report author Abhishek Iyer, director of product marketing at Armorblox, in an interview with SC Media. Iyer estimated that the number of vishing attacks have doubled since the COVID-19 pandemic took hold in March of 2020. Indeed, some of these attacks even leveraged the pandemic as a lure, to trick people into calling numbers for coronavirus test results, he added.
Iyer also believes that the frequency emails sent from businesses and employers related to password resets, security alerts, locked accounts, order confirmations and invoices have increased during the pandemic as well. “And so many of the attacks that we see try to replicate these workflows,” because “we tend to act quicker on these.”
The report from Armorblox describes a pair of recently observed attacks in which adversaries sent an email designed to fool recipients into calling phone number staffed by a malicious actor who then perpetuates the scam from there. A similar tactic was used recently by actors looking to spread BazarBackdoor malware, but in this latest case, the purpose was to steal credit card information.
This hybrid use of email and phone is a technique designed to avoid actually placing malicious phishing URLs or attachments in emails, in order to bypass email security solutions and spam filtering. For instance, both of the attacks described by Armorblox reportedly bypassed Microsoft security controls.
“The only payload here is a phone number, and phone numbers are not something that the security community tracks and shares in a scalable manner. I don’t know if it’ll ever be,” said Iyer. And because phone numbers can be changed and reassigned, you often “don’t really know if a phone number is legitimate or not.”
“It is apparent that it is a two-prong attack – the first being phishing and the second being vishing,” said James McQuiggan, security awareness advocate at KnowBe4, commenting on the report. “Phishing is not always about clicking a link or opening an attachment, but getting the victim to take an action they might not otherwise take. The email appears believable, and they provide a phone number which continues the confidence or social engineering scam against the victim.”
Both email attacks were sent from Gmail accounts, used a fake order confirmation as a lure, and employed social engineering techniques such as messaging that’s “carefully treading the line between vagueness and urgency-inducing specificity,” Iyer wrote in the blog post.
One attack impersonated electronic retailer Best Buy’s Geek Squad division, even using similar HTML stylings as the actual company in order to feign authenticity. This attack informed recipients that they had been renewed for an annual protection service at the cost of $358.46 – a sizable enough fee to potentially trigger some victims to call the posted number before recognizing that something is suspicious.
The other attack impersonated communications from Norton AntiVirus, but using the digit zero instead of the letter O in order to trick “deterministic filters or blocklists that check for brand names being impersonated,” the blog post explains.
In both cases, Armorblox researchers discovered that the numbers listed in the phishing/vishing emails had been disconnected. But it’s simply enough for a new number to spring up just as quickly. According to Iyer, it’s relatively easy and cheap for cybercriminals set up this kind of scam. “ I don’t think there’s anything too sophisticated, he said. “Setting up a Google Voice number is very easy. They email attack doesn’t even need to have a URL, and attackers can be confident of launching these attacks at scale and maybe they’ll make their way past inboxes.”
In his blog post, Iyer recommenders that user organizations protect themselves by bolstering native email security with additional controls, be aware of social engineering cues, observe MFA and password management best practices, and avoid sharing sensitive information over the phone.
“Always be sensitive when you’re talking to someone over the phone and they’re asking you for data that sounds strange, especially if it’s someone you have ever talked to before,” said Iyer. “We want to be polite over the phone, so if someone asks us [for personal information], we won’t hang up straight away. We’ll see what the call is about – there is a human being on the end of the line, after all.”
Keep that politeness in check, he added, especially when someone is asking you for account details.
“Users must educate themselves and remain aware of the latest scam emails, and trust, but verify when it comes to billing or information requests,” added McQuiggan. “Users should understand that they need to confirm information through the actual website and avoid utilizing the information within an email when prompted with an email.”
Email security company Tessian also conducted research last year showing that 24% of IT leaders had experienced more vishing attacks once their employees began working remotely between March and July 2020.
“I think data breaches are a significant contributor to the increase in phone and email phishing,” said Charles Brook, threat intelligence researcher at Tessian. “Breaches from major social media sites contain aligned personal information like names, phone numbers and email addresses for thousands of individuals. There is a good chance that cybercriminals will be collating or joining up the information from various data breaches to create an information-rich dataset of potential targets, in order to make their scams as convincing as possible.”