Attacking the Person - What Works, and What Doesn’t in Vishing
Insights from Cybersecurity Analyst/Ethical Hacker, Dillon Rangel
A Quick Recap
Firewalls, IPS/IDS systems, and AV continue to improve while there seems to be an upper limit on how quickly new exploitation techniques can be developed. This may seem to make defending from cyber threats an easier job, but as the old saying goes, the attacker only needs to be right once. The modern effective hacker utilizes a wide skill set that includes not only classical hacking, but a myriad of social engineering techniques, of which vishing is one. Our previous post found here (https://www.frameworksec.com/post/the-soft-underbelly-of-cybersecurity-phone-based-social-engineering-as-utilized-in-the-mgm-attack) delves into some defenses from this lesser talked about area of social engineering. This post will be discussing the attacker perspective, and analyzing techniques which have a higher success rate than their counterparts.
Like an unspecified number of good hackers, I attend DEFCON each year. One of the key draws is the Social Engineering Village where there is a contest to cold call companies and attempt to access privileged information such as their alarm system provider, or network, OS, and AV information. As you might imagine, some callers are more successful than others and there is a clear difference in the success rates of the chosen strategies.
What Doesn’t Work
There is no one size fits all approach to vishing; the variance for success or failure depends as much on the target as it does on the day of the week. Some approaches that generally fare poorly are those without inherent authority, like a student survey. It is important to not overdo a pretexted authoritative position because it counteracts people’s natural desire to be helpful. This can be seen with employees willing to bend over backwards for great bosses while doing the bare minimum with bad bosses. It is important to give the person on the other end of the phone a good reason to help. Without this, it is simply too easy to hang up and ignore a person with no real or imagined power.
Aside from authority, competitors who struggled significantly were those who were unable to clearly establish their pretext quickly. This goes back to giving the person a good reason not to hang up. Some less obvious and more difficult to correct reasons participants failed were talking more than listening, and using dead ended questions that did not allow the conversation to flow naturally. In a similar way to casinos being designed to keep people there as long as possible, continuing a natural conversation almost always yields additional useful information.
What Does Work
Pretexts that almost always find success are relatable, likable, and obvious. What obvious means in this context is that it makes sense why this person would be calling and asking the questions they are asking. One common pretext that fills all these criteria is IT based. It’s easy to relate to another low level employee, it’s easy to like someone when they’re proactively offering to help solve one of your problems, and it’s obvious why IT would be calling with technical questions. Some successful variations of this involve a person faking a stutter to seem nervous, and therefore a more stereotypical IT person, a hyper confident IT and compliance caller offered a full name, fake employee ID, and ticket number at the immediate start of the conversation. These pretexts were established quickly and often built rapport by asking if any of their equipment needed an upgrade from corporate. Other successful pretexts started out basic but preferred to build a personal rapport with the person, such as recent maternity leave. One thing these all shared is that the attacker was practically glowing the entire conversation. They smiled while talking, oozed charisma, directed the flow of conversation, and most importantly, they were kind. It is very easy to overlook red flags for someone that is well liked and all successful participants played heavily on this.
With good OSINT before the engagement, and some practice, this is a technique that all hackers can and should employ. It is a lesser talked about part of social engineering but will likely stay relevant forever due to human nature. Let’s take a brief moment to applaud the people that correctly shut down these vishing attempts before divulging any sensitive information and from a leadership perspective, this is the behavior that should be encouraged. It should be celebrated when the CEO is unable to obtain information from employees without going through the proper channels.