Vishing: How to Protect Your Business from Phone-Based Social Engineering Attacks

from Jason Downey, Security Consultant

In our digital world today, where cyber stuff keeps changing all the time, there’s this sneaky attack method that’s been popping up more and more lately: vishing, or voice phishing. Vishing is a form of social engineering that involves manipulating individuals over the phone to gain unauthorized access to sensitive information or corporate networks. In this article, we will explore what vishing is, how attackers can turn seemingly innocuous calls into security breaches, and most importantly, how to prevent vishing attacks from compromising your organization’s security.

Vishing and the MGM Casino Hack

To illustrate the real-world implications of vishing attacks, let’s take a closer look at the recent (at the time of this writing) MGM Casino hack. In 2023, MGM Resorts suffered a significant data breach that shutdown all computer access for 10 days. It impacted everything from digital keys to hotel rooms to slot machines on the Casino floor. The breach was reportedly a result of vishing attacks, where attackers used phone calls as a means to infiltrate the casino’s network.

Attackers often begin with seemingly harmless calls, with the intention of transforming them into something much more sinister. They start by building a pretext, gathering information about the target organization through online research, news articles, and, most notably, LinkedIn. By examining job titles and departments, attackers can identify potential targets who may have limited tech knowledge, such as those in accounting or HR.

The Attack Process

In a well-executed vishing campaign, attackers go through several steps to fool their targets. First, they gather info on potential victims within an organization, often those who might not be tech-savvy. They also figure out the company’s phone number patterns to more easily dial into the organization.

Based on factors like whether the company has a helpdesk and how many employees work remotely, attackers tailor their fake story, or “pretext”, to make it more believable. Sometimes, they even get transferred internally by an unsuspecting employee, which makes it harder to trace the call back to the attacker. Attackers may also ask for direct phone extensions to make future attacks easier.

At the end of the day, the attackers pull off their scam, posing as someone like a frustrated user or a fake IT tech, often with the goal of installing malware or gaining unauthorized access. By combining these tactics, they create a convincing and targeted attack.

Tools Used in Vishing

In the realm of voice phishing, individuals with malicious intent utilize a range of sophisticated and straightforward tools to deceive their targets effectively. For those with a more advanced understanding of telecommunications technology, a Private Branch Exchange (PBX) system, such as Asterisk, may be employed. This system is paired with a Session Initiation Protocol (SIP) Trunk service, which doesn’t require proof of number ownership. This advanced setup allows these individuals to essentially impersonate any phone number worldwide, without any consequences.

However, there are more accessible routes to achieve similar ends. Mobile applications like Hushed facilitate number spoofing directly from a smartphone, providing an easier point of entry for those less versed in complex technologies. While not as robust, this will allow an attacker to generate a number from a local area code.

Regardless of the specific tool employed, the objective remains consistent: to generate phone calls that appear to be coming from a familiar or trustworthy source. With the more advanced PBX solution, it’s even possible to imitate the phone number of the target or numbers related to entities they may be associated with, thereby enhancing the credibility of the malicious call.

Preventing Vishing Attacks

Now that we understand how vishing attacks work, it’s crucial to discuss preventive measures that organizations can take to safeguard against this increasingly common threat.

1. Employee Training: The first line of defense against vishing attacks is well-informed employees. Regularly train your staff on recognizing social engineering tactics, such as pretexting and phishing calls. Encourage them to verify the identity of callers before sharing sensitive information.

2. Verify Caller Identity: Whenever someone calls claiming to be from within the organization, ask for their name and department. Then, independently verify their identity by contacting the person directly through official contact information. If available check your companies intranet or other directory service for a published internal and trusted phone number.

3. Implement Multi-Factor Authentication (MFA): MFA adds an additional layer of security by requiring users to provide multiple forms of authentication before granting access. This makes it more challenging for attackers to compromise accounts.

4. Use Call Authentication Tools: Implement call authentication tools that validate the legitimacy of incoming calls, helping employees distinguish between genuine and fraudulent calls.

5. Monitor Call Patterns: Regularly review call logs and patterns to detect any suspicious activities or repeated calls from unfamiliar numbers.

Conclusion

Vishing is a formidable threat that can compromise your organization’s security and lead to significant data breaches, as evidenced by the MGM Casino hack. Understanding the tactics employed by vishers and taking proactive measures to prevent such attacks is essential for protecting your business. By implementing robust security awareness programs, verifying caller identities, and using authentication tools, you can fortify your defenses and minimize the risk of falling victim to vishing attacks. Stay vigilant, educate your employees, and remember that prevention is the best defense against this insidious form of cybercrime.

About Jason Downey

Jason Downey has over ten years of professional experience in IT and information security ranging in a variety of roles in network security roles with additional experience in systems administration. Jason has spoken in front of various audiences ranging from youth initiatives to major security conferences, while creating informational content on SiegeCasts and forward-facing marketing channels. Jason excels at a variety of penetration testing tactics and is well known for his vishing and social engineering expertise.

Certifications:
GPEN, GCIH, CCNA R&S, CCNA Security, CEH, CHFI

Connect on Twitter

For more information about Vishing. Check out the SiegeCast “Practical People Hacking”