Vishing: How to Protect Your Business from Phone-Based Social Engineering Attacks
By Red Siege | September 22, 2023
In our digital world today, where cyber stuff keeps changing all the time, there’s this sneaky attack method that’s been popping up more and more lately: vishing, or voice phishing. Vishing is a form of social engineering that involves manipulating individuals over the phone to gain unauthorized access to sensitive information or corporate networks. In this article, we will explore what vishing is, how attackers can turn seemingly innocuous calls into security breaches, and most importantly, how to prevent vishing attacks from compromising your organization’s security.
To illustrate the real-world implications of vishing attacks, let’s take a closer look at the recent (at the time of this writing) MGM Casino hack. In 2023, MGM Resorts suffered a significant data breach that shutdown all computer access for 10 days. It impacted everything from digital keys to hotel rooms to slot machines on the Casino floor. The breach was reportedly a result of vishing attacks, where attackers used phone calls as a means to infiltrate the casino’s network.
Attackers often begin with seemingly harmless calls, with the intention of transforming them into something much more sinister. They start by building a pretext, gathering information about the target organization through online research, news articles, and, most notably, LinkedIn. By examining job titles and departments, attackers can identify potential targets who may have limited tech knowledge, such as those in accounting or HR.
In a well-executed vishing campaign, attackers go through several steps to fool their targets. First, they gather info on potential victims within an organization, often those who might not be tech-savvy. They also figure out the company’s phone number patterns to more easily dial into the organization.
Based on factors like whether the company has a helpdesk and how many employees work remotely, attackers tailor their fake story, or “pretext”, to make it more believable. Sometimes, they even get transferred internally by an unsuspecting employee, which makes it harder to trace the call back to the attacker. Attackers may also ask for direct phone extensions to make future attacks easier.
At the end of the day, the attackers pull off their scam, posing as someone like a frustrated user or a fake IT tech, often with the goal of installing malware or gaining unauthorized access. By combining these tactics, they create a convincing and targeted attack.
In the realm of voice phishing, individuals with malicious intent utilize a range of sophisticated and straightforward tools to deceive their targets effectively. For those with a more advanced understanding of telecommunications technology, a Private Branch Exchange (PBX) system, such as Asterisk, may be employed. This system is paired with a Session Initiation Protocol (SIP) Trunk service, which doesn’t require proof of number ownership. This advanced setup allows these individuals to essentially impersonate any phone number worldwide, without any consequences.
However, there are more accessible routes to achieve similar ends. Mobile applications like Hushed facilitate number spoofing directly from a smartphone, providing an easier point of entry for those less versed in complex technologies. While not as robust, this will allow an attacker to generate a number from a local area code.
Regardless of the specific tool employed, the objective remains consistent: to generate phone calls that appear to be coming from a familiar or trustworthy source. With the more advanced PBX solution, it’s even possible to imitate the phone number of the target or numbers related to entities they may be associated with, thereby enhancing the credibility of the malicious call.
Now that we understand how vishing attacks work, it’s crucial to discuss preventive measures that organizations can take to safeguard against this increasingly common threat.
Employee Training: The first line of defense against vishing attacks is well-informed employees. Regularly train your staff on recognizing social engineering tactics, such as pretexting and phishing calls. Encourage them to verify the identity of callers before sharing sensitive information.
Verify Caller Identity: Whenever someone calls claiming to be from within the organization, ask for their name and department. Then, independently verify their identity by contacting the person directly through official contact information. If available check your companies intranet or other directory service for a published internal and trusted phone number.
Implement Multi-Factor Authentication (MFA): MFA adds an additional layer of security by requiring users to provide multiple forms of authentication before granting access. This makes it more challenging for attackers to compromise accounts.
Use Call Authentication Tools: Implement call authentication tools that validate the legitimacy of incoming calls, helping employees distinguish between genuine and fraudulent calls.
Monitor Call Patterns: Regularly review call logs and patterns to detect any suspicious activities or repeated calls from unfamiliar numbers.
Vishing is a formidable threat that can compromise your organization’s security and lead to significant data breaches, as evidenced by the MGM Casino hack. Understanding the tactics employed by vishers and taking proactive measures to prevent such attacks is essential for protecting your business. By implementing robust security awareness programs, verifying caller identities, and using authentication tools, you can fortify your defenses and minimize the risk of falling victim to vishing attacks. Stay vigilant, educate your employees, and remember that prevention is the best defense against this insidious form of cybercrime.
Jason Downey has over ten years of professional experience in IT and information security ranging in a variety of roles in network security roles with additional experience in systems administration. Jason has spoken in front of various audiences ranging from youth initiatives to major security conferences, while creating informational content on SiegeCasts and forward-facing marketing channels. Jason excels at a variety of penetration testing tactics and is well known for his vishing and social engineering expertise.
GPEN, GCIH, CCNA R&S, CCNA Security, CEH, CHFI
Connect on Twitter
For more information about Vishing. Check out the SiegeCast “Practical People Hacking”
Related StoriesView More
By Red Siege | November 28, 2023
from Ian Briley, Security Consultant The weakest link in your information security chain will always be the human behind the keyboard. No matter how much death by PowerPoint security training […]Learn More
By Tim Medin | November 13, 2023
As the CEO of Red Siege Information Security, I’ve had the privilege of building an outstanding team of ethical hackers to conduct numerous penetration tests for organizations across many industries. […]Learn More
By Red Siege | October 5, 2023
In this blog post I wanted to share a few tips and tricks I’ve found in Burp that have really helped me in the past. Double Click and Right Click […]Learn More