[BreachExchange] Hybrid phishing and vishing attacks imitate business workflows

Mon Jun 28 11:58:59 EDT 2021

https://www.scmagazine.com/home/security-news/phishing/hybrid-phishing-and-vishing-attacks-hunt-for-credit-card-info/

A new report shines a light on the malicious practice known as voice
phishing or vishing – a social engineering tactic that some cyber experts
say has only grown in prominence since COVID-19 forced employees to work
from home.

And in some instances the technique is being used to supplement email-based
phishing attempts.

“Vishing is one of the attacks that we’ve seen a huge surge in since
lockdown,” in part due to the increase in conversations that happen over
the phone or over Zoom, said report author Abhishek Iyer, director of
product marketing at Armorblox, in an interview with SC Media. Iyer
estimated that the number of vishing attacks have doubled since the
COVID-19 pandemic took hold in March of 2020. Indeed, some of these attacks
even leveraged the pandemic as a lure, to trick people into calling numbers
for coronavirus test results, he added.

Iyer also believes that the frequency emails sent from businesses and
employers related to password resets, security alerts, locked accounts,
order confirmations and invoices have increased during the pandemic as
well. “And so many of the attacks that we see try to replicate these
workflows,” because “we tend to act quicker on these.”

The report from Armorblox describes a pair of recently observed attacks in
which adversaries sent an email designed to fool recipients into calling
phone numbers staffed by a malicious actor who then perpetuates the scam
from there. A similar tactic was used recently by actors looking to spread
BazarBackdoor malware, but in this latest case, the purpose was to steal
credit card information.

This hybrid use of email and phone is a technique designed to avoid
actually placing malicious phishing URLs or attachments in emails, in order
to bypass email security solutions and spam filtering. For instance, both
of the attacks described by Armorblox reportedly bypassed Microsoft
security controls.

“The only payload here is a phone number, and phone numbers are not
something that the security community tracks and shares in a scalable
manner. I don’t know if it’ll ever be,” said Iyer. And because phone
numbers can be changed and reassigned, you often “don’t really know if a
phone number is legitimate or not.”

“It is apparent that it is a two-prong attack – the first being phishing
and the second being vishing,” said James McQuiggan, security awareness
advocate at KnowBe4, commenting on the report. “Phishing is not always
about clicking a link or opening an attachment, but getting the victim to
take an action they might not otherwise take. The email appears believable,
and they provide a phone number which continues the confidence or social
engineering scam against the victim.”

Both email attacks were sent from Gmail accounts, used a fake order
confirmation as a lure, and employed social engineering techniques such as
messaging that’s “carefully treading the line between vagueness and
urgency-inducing specificity,” Iyer wrote in the blog post.

One attack impersonated electronic retailer Best Buy’s Geek Squad division,
even using similar HTML stylings as the actual company in order to feign
authenticity. This attack informed recipients that they had been renewed
for an annual protection service at the cost of $358.46 – a sizable enough
fee to potentially trigger some victims to call the posted number before
recognizing that something is suspicious.

The other attack impersonated communications from Norton AntiVirus, but
using the digit zero instead of the letter O in order to trick
“deterministic filters or blocklists that check for brand names being
impersonated,” the blog post explains.

In both cases, Armorblox researchers discovered that the numbers listed in
the phishing/vishing emails had been disconnected. But it’s simply enough
for a new number to spring up just as quickly. According to Iyer, it’s
relatively easy and cheap for cybercriminals to set up this kind of scam. “
I don’t think there’s anything too sophisticated, he said. “Setting up a
Google Voice number is very easy. They email attack doesn’t even need to
have a URL, and attackers can be confident of launching these attacks at
scale and maybe they’ll make their way past inboxes.”

In his blog post, Iyer recommends that user organizations protect
themselves by bolstering native email security with additional controls, be
aware of social engineering cues, observe MFA and password management best
practices, and avoid sharing sensitive information over the phone.

“Always be sensitive when you’re talking to someone over the phone and
they’re asking you for data that sounds strange, especially if it’s someone
you have ever talked to before,” said Iyer. “We want to be polite over the
phone, so if someone asks us [for personal information], we won’t hang up
straight away. We’ll see what the call is about – there is a human being on
the end of the line, after all.”

Keep that politeness in check, he added, especially when someone is asking
you for account details.

“Users must educate themselves and remain aware of the latest scam emails,
and trust, but verify when it comes to billing or information requests,”
added McQuiggan. “Users should understand that they need to confirm
information through the actual website and avoid utilizing the information
within an email when prompted with an email.”

Email security company Tessian also conducted research last year showing
that 24% of IT leaders had experienced more vishing attacks once their
employees began working remotely between March and July 2020.

“I think data breaches are a significant contributor to the increase in
phone and email phishing,” said Charles Brook, threat intelligence
researcher at Tessian. “Breaches from major social media sites contain
aligned personal information like names, phone numbers and email addresses
for thousands of individuals. There is a good chance that cybercriminals
will be collating or joining up the information from various data breaches
to create an information-rich dataset of potential targets, in order to
make their scams as convincing as possible.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210628/f14422d3/attachment.html>