“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.
On the heels of the widely-published “phone phishing,” or vishing, attack against Twitter employees last month resulting in a Bitcoin scam and the compromise of several high-profile accounts, the attack vector registered a noted uptick. Cyber criminals gravitate to what works and the Twitter attack showed vishing can be effective.
An industry group was formed to track incidents similar to the Twitter attack and senior researchers have noted a spike in similar incidents. Director of Threat Intelligence at the security firm ZeroFox and member of the group, Zack Allen, said he’s “been shocked by the level of research that the hackers have put into their social engineering, scraping LinkedIn and using other data-collection tools to map out company org charts, find new and inexperienced employees—some even starting their very first day on the job—and convincingly impersonating IT staff to trick them.”
Researchers note traditional vishing was mostly employed to conduct SIM-swap attacks, where an attacker convinces a telecom employee to transfer a victim’s cellular service to a SIM card they control so as to intercept 2FA codes. The COVID-19 pandemic may have led to an expansion of the traditional telecom target to other companies who resorted to remote work environments; correspondingly, those companies are likely less prepared to deal with well-organized, tailored vishing attacks.
How a Vishing Attack Works
A typical attack begins with a VOIP call by an attacker from a spoofed phone number; the attacker initiates a trust-building conversation through which they reference private information of the victim gleaned from their research that may include their position, when they started at the firm, and possibly their coworkers, etc. After the victim falls for the ruse, they are directed to perform an action, like navigate to a fake login address to enter their credentials and 2FA code. With those credentials and code, the attacker or accomplice log into the real login page and gain full account access.
Because of the effectiveness of this tactic, Zack Allen believes it is just a matter of time before the bigger players adopt similar tactics; however, Allen may be more right than he is aware. A Clearsky report in late August on the Iranian cyber espionage APT group Charming Kitten (aka APT35 or Ajax) uncovered new TTPs used by the group starting in July 2020.
The Iranian APT members have posed as journalists before to trick would-be victims into opening malicious links, however, the attackers are now using WhatsApp messaging service and fake LinkedIn profiles, as well as conducting phone calls with potential victims, in order to secure victim trust. Reaching out in voice calls via WhatsApp or from spoofed phone numbers has the potential to jeopardize the story propagated by the attackers; however, their willingness to employ voice calls in order to gain more trust and improve the effectiveness of delivering malicious payloads suggest the APT believe themselves capable of overcoming that obstacle.
ClearSky also reported on Hidden Cobra’s (aka Lazarus Group) Operation Dream Job in August, which detailed the North Korean-linked APT’s targeting of government and defense industry employees by offering a “dream job.” The attacks used a range of social engineering tactics, including fake profiles of a real company’s employee (like Boeing), adding friends via social media included in the victim’s social media circle, and carrying out the contact in English. Taking it a step further, the hackers even pretended to be Human Resource recruiters at some large companies and conducted job interviews in both English and Spanish with their victims via phone and Skype.
How to Prevent Vishing
Vishing attacks are effective in convincing potential victims to trust an attacker and execute tasks, therefore it is essential security professionals consider this risk and counter it. Prevention may include company employee training as well as technical measures like FIDO tokens for 2FA. Security professionals may also set up policies requiring a certain software certificate on a company-used machine before granting remote access.