[BreachExchange] Geek Squad Vishing Attack Bypasses Email Security to Hit 25K Mailboxes

Sophia Kingsbury sophia.kingsbury at riskbasedsecurity.com
Fri Jun 18 11:40:20 EDT 2021


https://threatpost.com/geek-squad-vishing-bypasses-email-security/167014/

A pair of billing and tech support “vishing” attacks using Geek Squad and
Norton Antivirus as cover managed to hit 25,000 mailboxes recently,
questing after victims’ credit-card details.

Vishing (a contraction of “voice phishing”) generally involves stealing
personal information from victims over the phone or leaving fraudulent
voice messages. In this case, researchers said the gambit consisted of
sending fake order receipts via email, and then including phone numbers to
call “for processing order returns.”

According to researchers at Armorblox, the emails bypassed native Microsoft
email security controls along with email security engines like Exchange
Online Protection (EOP) and Proofpoint, landing in tens of thousands of
corporate inboxes.

“Microsoft assigned a spam confidence level (SCL) of ‘-1’ to both emails,”
explained researcher Abhishek Iyer, writing in a Thursday posting. “This
means the emails skipped spam filtering because Microsoft determined they
were from a safe sender to a safe recipient or were from an email source
server on the ‘IP Allow’ list.”

Geek Squad…to the Rescue?

Geek Squad is an IT support service focused on consumers and small
businesses, owned by consumer-electronics retailer Best Buy. In the first
campaign that Armorblox uncovered, the scammers impersonated the service by
sending emails (from a Gmail account) that masqueraded as a renewal
confirmation for an annual protection service.

The attackers used the same look and feel from a branding perspective as
the real Geek Squad, Iyer said, and the email body language “carefully
[tread] the line between vagueness and urgency-inducing specificity.”

The emails likely avoided suspicion because the messages didn’t include any
random links – usually the hallmark used for spotting malicious emails or
scams.

Instead, the only call to action in the email was a phone number that would
supposedly connect the recipient to the “billing department” in order to
process order returns, the researcher explained. The method enabled the
emails to bypass standard threat-detection controls.

“Including phone numbers as the payload is effective because a phone number
is not an IOC that the security community tracks in a structured, shareable
manner right now (and might never be, due to the fungibility of phone
numbers, random numbers generated through Google Voice, etc.),” Iyer said.

Irony Alert: Norton Vishing Attack

The Norton attack was less frilly, according to Armorblox, with the body
being sent in plain text, stripped of any HTML stylings or Norton branding.

Otherwise, the emails used the same approach as in the Geek Squad campaign,
being also sent from a Gmail account and with the same “Order Confirmation”
subject line, according to the researcher. And, once again, there were no
links or conventional payloads in the body of the email, just a phone
number to use to “cancel a subscription.”

The emails did exhibit one notable detection-evasion trick, Iyer explained.

“Near the top of the email, notice the ‘N0RT0N PR0TECTI0N’ with zeros
instead of the letter O. This is a simple but effective technique used by
attackers to slip past any deterministic filters or blocklists that check
for brand names being impersonated,” he said.

Nobody Home

In both cases, the Armorblox research team called the number provided, from
a disposable Google Voice endpoint, only to find that the scam numbers had
been deactivated.

“The technique here matters as much as (if not more than) the outcome,”
Iyer said. “If the number here was taken down, it’s very easy for the
attackers to stand up another number and repeat the attack flow, because
they know the email is getting past traditional email-security controls.”

He added that one social-engineering aspect that leads to success for this
type of campaign is the context of the attacks. They “replicate workflows
that already exist in our daily lives (ordering subscriptions and services
online),” he explained. “When we see emails we’ve already seen before, our
brains tend to employ System 1 thinking and take quick action.”

How to Avoid Becoming a Vishing Victim

Vishing is certainly not new – last year for example, a similar campaign
made the rounds with emails purporting to communicate about an Amazon
delivery order. They included a phone number for the “Fraud Protection
Team” to call in case the order was bogus.

“Vishing was used last year as part of the Twitter hack, where two
eighteen-year-olds gained the confidence of two Twitter employees and got
access to their systems to post fake tweets from various celebrities and
convinced 120 people to give up $1,000 of bitcoin to receive $2,000,” said
James McQuiggan, security awareness advocate at KnowBe4. “In this instance,
it is apparent that it is a two-prong attack — the first being phishing and
the second being vishing. Phishing is not always about clicking a link or
opening an attachment, but getting the victim to take an action they might
not otherwise take. The email appears believable, and they provide a phone
number which continues the confidence or social engineering scam against
the victim.”

However, vishing isn’t as well-known as phishing, nor as common. To protect
oneself from these types of scams, organizations should not only augment
native email security with additional controls, but also layer on
additional employee training, especially when it comes to engaging with
familiar-seeming emails in a rational and methodical manner.

“Subject the email to an eye test that includes inspecting the sender name,
sender email address, language within the email and any logical
inconsistencies within the email (e.g. Why is Geek Squad sending an email
to my work account, why are none of the CTA buttons in the email working,
etc.),” Iyer suggested.

If convinced the email may be legitimate, simply be suspicious when calling
the number, and never give up credit-card details or other sensitive
information over the phone, he added. It’s worth carrying out a
second-channel effort and searching for a publicly available
customer-service or billing number for the company in question.

“Users must educate themselves and remain aware of the latest scam emails
and trust but verify when it comes to billing or information requests,”
McQuiggan said. “Users should understand that they need to confirm
information through the actual website and avoid utilizing the information
within an email when prompted with an email.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210618/feb94967/attachment.html>


More information about the BreachExchange mailing list