Sophisticated Phone Spear Phishing Attacks are Targeting Top Companies
Aug 18, 2020 • Wired
WHEN LAW ENFORCEMENT arrested three alleged young hackers in the US and the UK last month, the story of the worst-known hack of Twitter’s systems seemed to have drawn to a tidy close. But in fact, the technique that allowed hackers to take control of the accounts of Joe Biden, Jeff Bezos, Elon Musk, and dozens of others is still in use against a broad array of victims, in a series of attacks that began well before Twitter’s blowup, and in recent weeks has escalated into a full-blown crime wave.
In mid-July, Twitter revealed that hackers had used a technique against it called “phone spear phishing,” allowing the attackers to target the accounts of 130 people including CEOs, celebrities, and politicians. The hackers successfully took control of 45 of those accounts and used them send tweets promoting a basic bitcoin scam. The hackers, Twitter wrote in a postmortem blog post about the incident, had called up Twitter staffers and, using false identities, tricked them into giving up credentials that gave the attackers access to an internal company tool that let them reset the passwords and two-factor authentication setups of targeted user accounts.
“I’ve never seen anything like this before.”
ZACK ALLEN, ZEROFOX
But Twitter is hardly the only recent target of “phone spear phishing,” also sometimes known as “vishing,” for “voice phishing,” a form of social engineering. In just the past month since the Twitter hack unfolded, dozens of companies—including banks, cryptocurrency exchanges, and web hosting firms—have been targeted with the same hacking playbook, according to three investigators in a cybersecurity industry group that’s been working with victims and law enforcement to track the attacks. As in the Twitter hack, employees of those targets have received phone calls from hackers posing as IT staff to trick them into giving up their passwords to internal tools. Then the attackers have sold that access to others who have typically used it to target high-net-worth users of the company’s services—most often aiming to steal large amounts of cryptocurrency, but also sometimes targeting non-crypto accounts on traditional financial services.
“Simultaneous with the Twitter hack and in the days that followed, we saw this big increase in this type of phishing, fanning out and targeting a bunch of different industries,” says Allison Nixon, who serves as chief research officer at cybersecurity firm Unit 221b and assisted the FBI in its investigation into the Twitter hack. “I’ve seen some unsettling stuff in the past couple of weeks, companies getting broken into that you wouldn’t think are soft targets. And it’s happening repeatedly, like the companies can’t keep them out.”
As in the Twitter hack, the perpetrators don’t appear to be state-sponsored hackers or foreign cybercrime organizations, but young, English-speaking hackers organizing on forums like the website OGUsers.com and the chat service Discord, says Zack Allen, the director of threat intelligence at security firm ZeroFox, who has also worked with the industry group tracking the incidents. He says he’s been shocked by the level of research that the hackers have put into their social engineering, scraping LinkedIn and using other data-collection tools to map out company org charts, find new and inexperienced employees—some even starting their very first day on the job—and convincingly impersonating IT staff to trick them.
“I’ve never seen anything like this before, nothing this targeted,” says Allen. He warns that the hackers’ tactics have been so effective, it may be only a matter of time until they’re adopted by foreign ransomware groups or even state-sponsored hackers who simply contract out the phone calls to English-speaking phone phishers. “It’s like what you’d expect from a whole team of intelligence professionals building dossiers and executing attacks, but it all seems to be done by teenagers on Discord.”
A security staffer at one targeted organization who asked that WIRED not use his name or identify his employer described a more wholesale approach: At least three callers appeared to be working their way through the company directory, trying hundreds of employees over just a 24-hour period. The organization wasn’t breached, the staffer said, thanks to a warning that the company had received from another target of the same hacking campaign and passed on to its staff prior to the hacking attempts. “They just keep trying. It’s a numbers game,” he says. “If we hadn’t had a day or two’s notice, it could have been a different story.”
Phone-based phishing is hardly a new practice for hackers. But until recently, investigators like Allen and Nixon say, the attacks have focused on phone carriers, largely in service of so-called “SIM swap” attacks in which a hacker would convince a telecom employee to transfer a victim’s phone service to a SIM card in their possession. They’d use that phone number to intercept two-factor authentication codes, or as a starting point to reset the passwords to cryptocurrency exchange accounts.
The Twitter hack’s use of those same phone-based social engineering methods shows how those phishers have expanded their target lists beyond telcos, says Unit 221b’s Nixon. She posits that while this might be due to phone carriers hardening their defenses against SIM swaps, it’s more likely spurred by companies becoming newly vulnerable during the Covid-19 pandemic. With so many firms hastily shifting to remote work, she says, phone-based social engineering has become far more powerful.
The same hackers who honed their skills against telecoms have found other industries that are less well prepared for their tricks, Nixon says. “All of a sudden you’ve got these people that are highly trained, highly effective, efficient, and organized, suddenly hitting a bunch of soft targets,” she says. “And that’s probably a big reason why there’s such a problem right now.”
Despite the apparent youth of the hackers involved, Nixon says the ongoing attacks seem well coordinated, with multiple collaborators working together and hiring independent hackers offering specialized services from reconnaissance to voice acting. “Need someone that has experience with social engineering over call, great pay,” wrote one OGUser forum member in March named “biggas,” as captured in a collection of OGUser messages leaked on Telegram in April. “Looking for a social engineering god that is from USA and has a clear & normal adult voice. No little kids,” the same user wrote back in November.
In their social engineering calls with victims—including in one recorded call reviewed by WIRED—the hackers typically use a VoIP service that allows them to spoof their phone number. They attempt to establish trust with the victim by referencing seemingly private data such as the victim’s role at the company, their start date, or the names of their coworkers. In some cases, they’ll even ask the victim to confirm that they’re a “real” IT person, suggesting they look up their spoofed identity in the company’s directory or its collaboration software. When the victim seems convinced, they ask them to navigate to a fake login page address—usually for a single sign-on portal like Duo or Okta—and enter their credentials.
Another member of the hacking group immediately obtains those details and enters them into the real login page. The real login page then prompts the victim to enter their two-factor authentication code. When the user is fooled into typing that code into the fake site, it’s also relayed to the second hacker, who enters it into the real login page, allowing them to fully take over the account. The hackers’ phishing site that allows that spoofing, unlike the kind usually linked in a phishing email, is usually created only for that specific phone call and is taken down immediately after the hackers steal the victim’s credentials. The vanishing website and the lack of email evidence makes this sort of phone-based engineering often harder to detect than traditional phishing.