Security Week 35: Scaling Voice Phishing

On August 20, the U.S. Federal Bureau of Investigation published warning attacks on corporate infrastructure using voice phishing. The abbreviated name for this social engineering method, vishing, claims to be the wackiest security buzzword of 2020, but that doesn’t make the problem any easier. Although it is not new: the familiar calls to everyone, allegedly from the bank’s security service, can also be classified as “telephone attacks”.

The reason for highlighting this threat to US government agencies was a coordinated attack seen in mid-July this year. There are no details in the FBI and CISA bulletin, but there is a lot of interesting information in publications Brian Krebs on August 19. Apparently, a group of cybercriminals is seriously engaged in vishing, which provides its services to everyone on the black market. These are long-term, targeted attacks aimed at generating profit through blackmail or identity theft.

FBI and US Cybersecurity Agency Report (PDF).
An article by Brian Krebs analyzing the actions of the attackers.
News of voice attacks on American bank customers from 2014, one of the earliest mentions of the term vishing.
A case study a year ago about stealing company funds using a sophisticated voice attack.
News on Habré.

Voice phishing can be roughly divided into three categories: a simple attack on a consumer (a call from a bank, a call from a mobile operator, and so on), an attack on a company (a call supposedly from technical support), a complex attack supposedly from a real employee familiar to the victim. Exactly a year ago, the media got information about a successful attack on the company: the CEO called the chief accountant and asked to make a transfer to a certain bank account. 220 thousand euros were stolen, the attackers allegedly used machine learning algorithms to “recreate” the voice of a real person. This time we are talking about attacks below the level. They happen as follows: an employee of the company receives a phone call from a support representative, he informs about the need to “fix the VPN” and redirects the victim to a fake site with subsequent account theft.

In this case, machine learning is not required: a large corporation, many people work in the IT department – it is easy to convince the victim that a recently hired employee is calling her. Now is the perfect time for such attacks: a lot of people work from home (although nothing prevents them from launching the same attacks in an office environment). Previously, fraudsters lacked only a good organization of the criminal business. And judging by the data from the article by Brian Krebs, now with the organization of the cybercriminals everything is pretty good. Here’s how they work:

– They create believable copies of authorization pages in the corporate system, with logos and links to real company resources.
– Raise fake websites on anonymous hosting that accepts payment in cryptocurrency. They are used only if it was possible to establish contact with the victim, since the mass mailing can be blocked by corporate security systems. A separate hosting account is created for each attack so that a complaint about one page does not neutralize the entire phishing network.
– Create fake LinkedIn profiles that send friend requests to potential victims. A call from a friend on social media will create less suspicion, and criminals will have a better chance of success.
– Provides the possibility of multi-factor authentication. If a variable access code is used, there will be a field for it on the phishing page.
– After hacking, an additional phone number or smartphone is tied to the account so that access can be restored without social engineering.
– Shutting down the fake site immediately after the attack to cover their tracks. This is a new challenge for the cybersecurity industry: identify phishing pages before thathow they will be used.

It is clear that even with this level of preparation, vishing does not always work. In case of failure, the attackers analyze the information received and change tactics. Krebs’ interlocutors argue that people employed in this industry have developed their skills over the years. Fortunately, this summer’s particular series of attacks shows that its authors are better at social engineering than blackmail, withdrawals and the like.

The countermeasure for any social engineering attack is primarily employee training. For example, in the FBI report, company employees are advised to bookmark a page for accessing the company’s web services and open it, and not the link that the attackers send. You can also hinder penetration using technical methods – for example, restricting access to the VPN to devices from the whitelist. The most promising method is a dongle to access corporate resources, which simply won’t work on a fake page. But it is not so easy to issue such a key to hundreds or even thousands of employees, especially if they work remotely. The universal recommendation remains to reduce the potential damage from hacking one account.

What else happened:

Google has closed a vulnerability in corporate email service (part of the G Suite package) that allowed sending messages on behalf of any Gmail user or G Suite subscriber. The peculiarity of the problem was that during spoofing, Google’s “quality marks” (SPF and DMARC) were preserved, which distinguishes this bug from other methods of forging the real address of the sender. The vulnerability was closed a few hours after publication report, although by that time Google had been aware of the bug for half a year.

Another interesting email vulnerability: in some clients (for example, in Thunderbird) in standard links like mailto: you can attach a file as an argument. A theoretical example of an attack is shown in the screenshot above: we send a link to the victim, clicking on it creates a message with the sender’s address and an attached file. Read more in news and work researchers from the Ruhr and Westphalian universities.

IN THE USA arrested dozens of people who used the bug in Santander ATMs. A software error allowed to withdraw more money from debit cards than was on the account. The bank had to turn off all ATMs in the country for several hours.

Discovered a new botnet that attacks devices and servers with weak SSH passwords. A feature of the botnet is its decentralization: there is no single command server, the network is controlled distributed among the infected devices.

Interesting method creating a copy of the keys to the lock: record the sounds made by the real key that the owner opens the door with, and then, based on the analysis of clicks, restore the shape of the key

Similar Posts

Leave a Reply