How to Avoid a Vishing Attack — You'll End up in a Ditch if You Get Vished

What is a vishing attack?

Vishing (also known as voice phishing) is similar to email phishing, but instead of using email, as the name suggests, attackers use the phone network as an attack vector. Vishing has been prevalent since before the Internet existed, but has decreased over time due to email phishing being a more versatile attack method. As the cat and mouse game of defenders vs. attackers continues, defenders have enhanced their security through email client configuration, spam filtering, and overall phishing awareness. As phishing becomes more difficult, attackers may again use a vishing attack as a way to gain a foothold within the organization.

A vishing attack works in a similar way to email phishing, which we have discussed in other phishing blogs, where attackers are relying on the human element of security to fail, rather than the technical side.

Vishing attacks can be successful because there is little the person receiving the call can do to validate the caller’s actual identity. This is because caller ID’s can be manipulated and spoofed to show any number an attacker wants to show – thus relying on caller ID’s for verification is unreliable.

How a vishing attack works

At LMG Security, clients hire us to run vishing campaigns on their organizations to test how their employees respond to a vishing attack. The results of the tests can help management evaluate the effectiveness of their training programs, identify employees at risk of a compromise, and plan additional training.

We like to break vishing campaigns into three subsections: a vishing attack against low privilege employees, a vishing attack against high privilege employees, and a vishing attack with an email component (phishing).

Vishing against low privilege employees: In this scenario, the caller targets employees who may not have privilege (i.e. access to sensitive organization data, administrative actions/password resets, VPN access, etc.) but are likely to follow directions given by those who are seen to have more privilege, such as management or IT administrators.

The scenario: LMG Security consultants pose as IT helpdesk employees calling targets within our client’s organization, stating that they are noticing malicious traffic originating from the target’s work computer. The caller states that they need to remotely connect to the target’s computer to verify the source of the malicious traffic. The caller tells the target their administrator credentials are not working, and they need to use the target’s credentials to log in, mentioning this could be due to malware blocking administrative connections. The caller asks for the target’s credentials (username & password) to connect.

Vishing against high privilege employees: The caller targets employees who have privileged access to information or systems, such as financial or proprietary information, IT administration tools, VPN access, password resets, etc. Although these targets are likely to have more knowledge and training on information security, their jobs are to have answers and use their privileged access to help those lower level employees which then becomes the target.

The scenario: LMG Security consultants pose as employees within our client’s organization. They use Open Source Intelligence Gathering (OSINT), such as LinkedIn, to gather information about specific employees at the company, such as name, email address, and position within the organization. Using this information, LMG Security’s consultants target employees in IT administration/helpdesk functions within the organization, stating they forgot their password and need the target’s help to reset it. The caller acts as if they are in a rush, as they need to quickly send a high priority email to an executive within the company (this information is also gathered through OSINT). If the attack is successful, the helpdesk employee, wanting to be helpful, will change the password of the employee LMG Security is posing as and tell the caller the new password.

Vishing with a phishing element: In this type of attack the attacker uses both phishing and vishing attacks to add legitimacy of the campaign.

The Scenario: LMG Security consultants pose as helpdesk employees for a third-party IT service used by our client’s organization. The caller informs the target that there were numerous unsuccessful login attempts to the target’s account followed by successful logins. The caller asks if the target attempted these logins. When the target says no, the caller states that the account appears to have been compromised and the caller is locking the account. The caller asks the target to change his password through a password reset link they will send via email. This email is actually a phishing email which directs the target to a page that LMG Security has designed to resemble the third-party IT service’s website, and asks the target for their current credentials to “unlock their account.”

What could have been done to thwart these vishing attacks?

In each of these scenarios, the employee receiving the call should have verified the identity of the caller with another form of verification, following the organization’s procedure. This can be done by physically verifying (i.e. walking over to the supposed callers desk to verify if they are actually calling) or by calling the person back directly using the internal phone directory/extensions. Using a second form of verification is the surefire way of verifying who is calling. LMG Security does not recommend using email as a second form of verification. If an attacker has compromised an email account, this form of verification could be unreliable.

In addition to having employees use a second form of verification and make use of the organization’s internal phone directory, employees should be trained on vishing defense and the ease of caller ID spoofing. Training should teach users not only, “What is a vishing attack?”, but also include tips on how to identify a vishing attack, such as requests for passwords or sensitive data, and the caller’s attempts to create a sense of urgency. Organizations may also consider additional training for employees who have access to sensitive data and those in IT administration roles, such as helpdesk positions.

In addition, vishing tests are a great way for organizations to test if their employees are following procedures. LMG Security provides vishing assessments, which can aid in verifying if procedures are being followed as well as identify employees who may benefit from additional training in detecting a vishing attack.

Please contact us if you need help with security training or want to schedule a vishing test for your organization.